projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Remove the send_lock spinlock from ERTM
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / l2cap.c
CommitLineData
8e87d142 1/*
1da177e4
LT		 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth L2CAP core and sockets. */
26
1da177e4
LT		 27#include <linux/module.h>
28
29#include <linux/types.h>
4fc268d2 30#include <linux/capability.h>
1da177e4
LT		 31#include <linux/errno.h>
32#include <linux/kernel.h>
1da177e4
LT		 33#include <linux/sched.h>
34#include <linux/slab.h>
35#include <linux/poll.h>
36#include <linux/fcntl.h>
37#include <linux/init.h>
38#include <linux/interrupt.h>
39#include <linux/socket.h>
40#include <linux/skbuff.h>
1da177e4 41#include <linux/list.h>
be9d1227 42#include <linux/device.h>
aef7d97c
MH		 43#include <linux/debugfs.h>
44#include <linux/seq_file.h>
af05b30b 45#include <linux/uaccess.h>
fcc203c3 46#include <linux/crc16.h>
1da177e4
LT		 47#include <net/sock.h>
48
49#include <asm/system.h>
1da177e4
LT		 50#include <asm/unaligned.h>
51
52#include <net/bluetooth/bluetooth.h>
53#include <net/bluetooth/hci_core.h>
54#include <net/bluetooth/l2cap.h>
55
44dd46de
MH		 56#define VERSION "2.14"
57
58static int enable_ertm = 0;
f0709e03 59
47ec1dcd 60static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
e1027a7c 61static u8 l2cap_fixed_chan[8] = { 0x02, };
1da177e4 62
90ddc4f0 63static const struct proto_ops l2cap_sock_ops;
1da177e4 64
1890d36b
GP		 65static struct workqueue_struct *_busy_wq;
66
1da177e4 67static struct bt_sock_list l2cap_sk_list = {
d5fb2962 68 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
1da177e4
LT		 69};
70
1890d36b
GP		 71static void l2cap_busy_work(struct work_struct *work);
72
1da177e4
LT		 73static void __l2cap_sock_close(struct sock *sk, int reason);
74static void l2cap_sock_close(struct sock *sk);
75static void l2cap_sock_kill(struct sock *sk);
76
77static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
78 u8 code, u8 ident, u16 dlen, void *data);
79
80/* ---- L2CAP timers ---- */
81static void l2cap_sock_timeout(unsigned long arg)
82{
83 struct sock *sk = (struct sock *) arg;
b1235d79 84 int reason;
1da177e4
LT		 85
86 BT_DBG("sock %p state %d", sk, sk->sk_state);
87
88 bh_lock_sock(sk);
b1235d79 89
f62e4323
MH		 90 if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
91 reason = ECONNREFUSED;
92 else if (sk->sk_state == BT_CONNECT &&
2af6b9d5 93 l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
b1235d79
MH		 94 reason = ECONNREFUSED;
95 else
96 reason = ETIMEDOUT;
97
98 __l2cap_sock_close(sk, reason);
99
1da177e4
LT		 100 bh_unlock_sock(sk);
101
102 l2cap_sock_kill(sk);
103 sock_put(sk);
104}
105
106static void l2cap_sock_set_timer(struct sock *sk, long timeout)
107{
108 BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
109 sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
110}
111
112static void l2cap_sock_clear_timer(struct sock *sk)
113{
114 BT_DBG("sock %p state %d", sk, sk->sk_state);
115 sk_stop_timer(sk, &sk->sk_timer);
116}
117
0139418c
MH		 118/* ---- L2CAP channels ---- */
119static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
120{
121 struct sock *s;
122 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
123 if (l2cap_pi(s)->dcid == cid)
124 break;
125 }
126 return s;
127}
128
129static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
130{
131 struct sock *s;
132 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
133 if (l2cap_pi(s)->scid == cid)
134 break;
135 }
136 return s;
137}
138
139/* Find channel with given SCID.
140 * Returns locked socket */
141static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
142{
143 struct sock *s;
144 read_lock(&l->lock);
145 s = __l2cap_get_chan_by_scid(l, cid);
af05b30b
GP		 146 if (s)
147 bh_lock_sock(s);
0139418c
MH		 148 read_unlock(&l->lock);
149 return s;
150}
151
152static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
153{
154 struct sock *s;
155 for (s = l->head; s; s = l2cap_pi(s)->next_c) {
156 if (l2cap_pi(s)->ident == ident)
157 break;
158 }
159 return s;
160}
161
162static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
163{
164 struct sock *s;
165 read_lock(&l->lock);
166 s = __l2cap_get_chan_by_ident(l, ident);
af05b30b
GP		 167 if (s)
168 bh_lock_sock(s);
0139418c
MH		 169 read_unlock(&l->lock);
170 return s;
171}
172
173static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
174{
8db4dc46 175 u16 cid = L2CAP_CID_DYN_START;
0139418c 176
8db4dc46 177 for (; cid < L2CAP_CID_DYN_END; cid++) {
af05b30b 178 if (!__l2cap_get_chan_by_scid(l, cid))
0139418c
MH		 179 return cid;
180 }
181
182 return 0;
183}
184
185static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
186{
187 sock_hold(sk);
188
189 if (l->head)
190 l2cap_pi(l->head)->prev_c = sk;
191
192 l2cap_pi(sk)->next_c = l->head;
193 l2cap_pi(sk)->prev_c = NULL;
194 l->head = sk;
195}
196
197static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
198{
199 struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
200
fd1278d7 201 write_lock_bh(&l->lock);
0139418c
MH		 202 if (sk == l->head)
203 l->head = next;
204
205 if (next)
206 l2cap_pi(next)->prev_c = prev;
207 if (prev)
208 l2cap_pi(prev)->next_c = next;
fd1278d7 209 write_unlock_bh(&l->lock);
0139418c
MH		 210
211 __sock_put(sk);
212}
213
214static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
215{
216 struct l2cap_chan_list *l = &conn->chan_list;
217
af05b30b
GP		 218 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
219 l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
0139418c 220
2950f21a
MH		 221 conn->disc_reason = 0x13;
222
0139418c
MH		 223 l2cap_pi(sk)->conn = conn;
224
bd3c9e25 225 if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
0139418c
MH		 226 /* Alloc CID for connection-oriented socket */
227 l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
228 } else if (sk->sk_type == SOCK_DGRAM) {
229 /* Connectionless socket */
8db4dc46
GP		 230 l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
231 l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
0139418c
MH		 232 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
233 } else {
234 /* Raw socket can send/recv signalling messages only */
8db4dc46
GP		 235 l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
236 l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
0139418c
MH		 237 l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
238 }
239
240 __l2cap_chan_link(l, sk);
241
242 if (parent)
243 bt_accept_enqueue(parent, sk);
244}
245
8e87d142 246/* Delete channel.
0139418c
MH		 247 * Must be called on the locked socket. */
248static void l2cap_chan_del(struct sock *sk, int err)
249{
250 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
251 struct sock *parent = bt_sk(sk)->parent;
252
253 l2cap_sock_clear_timer(sk);
254
255 BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
256
8e87d142 257 if (conn) {
0139418c
MH		 258 /* Unlink from channel list */
259 l2cap_chan_unlink(&conn->chan_list, sk);
260 l2cap_pi(sk)->conn = NULL;
261 hci_conn_put(conn->hcon);
262 }
263
b1235d79 264 sk->sk_state = BT_CLOSED;
0139418c
MH		 265 sock_set_flag(sk, SOCK_ZAPPED);
266
267 if (err)
268 sk->sk_err = err;
269
270 if (parent) {
271 bt_accept_unlink(sk);
272 parent->sk_data_ready(parent, 0);
273 } else
274 sk->sk_state_change(sk);
c13ffa62
GP		 275
276 skb_queue_purge(TX_QUEUE(sk));
277
278 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
279 struct srej_list *l, *tmp;
280
281 del_timer(&l2cap_pi(sk)->retrans_timer);
282 del_timer(&l2cap_pi(sk)->monitor_timer);
283 del_timer(&l2cap_pi(sk)->ack_timer);
284
285 skb_queue_purge(SREJ_QUEUE(sk));
286 skb_queue_purge(BUSY_QUEUE(sk));
287
288 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
289 list_del(&l->list);
290 kfree(l);
291 }
292 }
0139418c
MH		 293}
294
79d554a6 295/* Service level security */
2af6b9d5 296static inline int l2cap_check_security(struct sock *sk)
79d554a6
MH		 297{
298 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
0684e5f9
MH		 299 __u8 auth_type;
300
00ae4af9
MH		 301 if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
302 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
303 auth_type = HCI_AT_NO_BONDING_MITM;
304 else
af05b30b 305 auth_type = HCI_AT_NO_BONDING;
00ae4af9
MH		 306
307 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
308 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
309 } else {
310 switch (l2cap_pi(sk)->sec_level) {
311 case BT_SECURITY_HIGH:
312 auth_type = HCI_AT_GENERAL_BONDING_MITM;
313 break;
314 case BT_SECURITY_MEDIUM:
315 auth_type = HCI_AT_GENERAL_BONDING;
316 break;
317 default:
318 auth_type = HCI_AT_NO_BONDING;
319 break;
320 }
0684e5f9 321 }
79d554a6 322
0684e5f9
MH		 323 return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
324 auth_type);
79d554a6
MH		 325}
326
4e8402a3
MH		 327static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
328{
329 u8 id;
330
331 /* Get next available identificator.
332 * 1 - 128 are used by kernel.
333 * 129 - 199 are reserved.
334 * 200 - 254 are used by utilities like l2ping, etc.
335 */
336
337 spin_lock_bh(&conn->lock);
338
339 if (++conn->tx_ident > 128)
340 conn->tx_ident = 1;
341
342 id = conn->tx_ident;
343
344 spin_unlock_bh(&conn->lock);
345
346 return id;
347}
348
9a9c6a34 349static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
4e8402a3
MH		 350{
351 struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
352
353 BT_DBG("code 0x%2.2x", code);
354
355 if (!skb)
9a9c6a34 356 return;
4e8402a3 357
9a9c6a34 358 hci_send_acl(conn->hcon, skb, 0);
4e8402a3
MH		 359}
360
9a9c6a34 361static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
1c2acffb
GP		 362{
363 struct sk_buff *skb;
364 struct l2cap_hdr *lh;
365 struct l2cap_conn *conn = pi->conn;
c13ffa62 366 struct sock *sk = (struct sock *)pi;
fcc203c3
GP		 367 int count, hlen = L2CAP_HDR_SIZE + 2;
368
c13ffa62
GP		 369 if (sk->sk_state != BT_CONNECTED)
370 return;
371
fcc203c3
GP		 372 if (pi->fcs == L2CAP_FCS_CRC16)
373 hlen += 2;
1c2acffb
GP		 374
375 BT_DBG("pi %p, control 0x%2.2x", pi, control);
376
fcc203c3 377 count = min_t(unsigned int, conn->mtu, hlen);
1c2acffb
GP		 378 control |= L2CAP_CTRL_FRAME_TYPE;
379
9e917af1
GP		 380 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
381 control |= L2CAP_CTRL_FINAL;
382 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
383 }
384
f0946ccf
GP		 385 if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
386 control |= L2CAP_CTRL_POLL;
387 pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
388 }
389
1c2acffb
GP		 390 skb = bt_skb_alloc(count, GFP_ATOMIC);
391 if (!skb)
9a9c6a34 392 return;
1c2acffb
GP		 393
394 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
fcc203c3 395 lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
1c2acffb
GP		 396 lh->cid = cpu_to_le16(pi->dcid);
397 put_unaligned_le16(control, skb_put(skb, 2));
398
fcc203c3
GP		 399 if (pi->fcs == L2CAP_FCS_CRC16) {
400 u16 fcs = crc16(0, (u8 *)lh, count - 2);
401 put_unaligned_le16(fcs, skb_put(skb, 2));
402 }
403
9a9c6a34 404 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 405}
406
9a9c6a34 407static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
7e743090 408{
1890d36b 409 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
7e743090 410 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b
GP		 411 pi->conn_state |= L2CAP_CONN_RNR_SENT;
412 } else
7e743090
GP		 413 control |= L2CAP_SUPER_RCV_READY;
414
2ab25cdd
GP		 415 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
416
9a9c6a34 417 l2cap_send_sframe(pi, control);
7e743090
GP		 418}
419
e501d055
AE		 420static inline int __l2cap_no_conn_pending(struct sock *sk)
421{
422 return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
423}
424
79d554a6
MH		 425static void l2cap_do_start(struct sock *sk)
426{
427 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
428
429 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
984947dc
MH		 430 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
431 return;
432
e501d055 433 if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
b1235d79
MH		 434 struct l2cap_conn_req req;
435 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
436 req.psm = l2cap_pi(sk)->psm;
79d554a6 437
b1235d79 438 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 439 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 440
b1235d79 441 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
79d554a6 442 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 443 }
79d554a6
MH		 444 } else {
445 struct l2cap_info_req req;
446 req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
447
448 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
449 conn->info_ident = l2cap_get_ident(conn);
450
451 mod_timer(&conn->info_timer, jiffies +
452 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
453
454 l2cap_send_cmd(conn, conn->info_ident,
455 L2CAP_INFO_REQ, sizeof(req), &req);
456 }
457}
458
cf6c2c0b
GP		 459static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
460{
461 u32 local_feat_mask = l2cap_feat_mask;
462 if (enable_ertm)
463 local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
464
465 switch (mode) {
466 case L2CAP_MODE_ERTM:
467 return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
468 case L2CAP_MODE_STREAMING:
469 return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
470 default:
471 return 0x00;
472 }
473}
474
9b108fc0 475static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
22121fc9
GP		 476{
477 struct l2cap_disconn_req req;
478
c13ffa62
GP		 479 if (!conn)
480 return;
481
482 skb_queue_purge(TX_QUEUE(sk));
483
484 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
485 del_timer(&l2cap_pi(sk)->retrans_timer);
486 del_timer(&l2cap_pi(sk)->monitor_timer);
487 del_timer(&l2cap_pi(sk)->ack_timer);
488 }
489
22121fc9
GP		 490 req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
491 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
492 l2cap_send_cmd(conn, l2cap_get_ident(conn),
493 L2CAP_DISCONN_REQ, sizeof(req), &req);
c13ffa62
GP		 494
495 sk->sk_state = BT_DISCONN;
9b108fc0 496 sk->sk_err = err;
22121fc9
GP		 497}
498
1da177e4 499/* ---- L2CAP connections ---- */
4e8402a3
MH		 500static void l2cap_conn_start(struct l2cap_conn *conn)
501{
502 struct l2cap_chan_list *l = &conn->chan_list;
cf6c2c0b 503 struct sock_del_list del, *tmp1, *tmp2;
4e8402a3
MH		 504 struct sock *sk;
505
506 BT_DBG("conn %p", conn);
507
cf6c2c0b
GP		 508 INIT_LIST_HEAD(&del.list);
509
4e8402a3
MH		 510 read_lock(&l->lock);
511
512 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
513 bh_lock_sock(sk);
514
bd3c9e25
GP		 515 if (sk->sk_type != SOCK_SEQPACKET &&
516 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 517 bh_unlock_sock(sk);
518 continue;
519 }
520
521 if (sk->sk_state == BT_CONNECT) {
e501d055
AE		 522 if (l2cap_check_security(sk) &&
523 __l2cap_no_conn_pending(sk)) {
b1235d79 524 struct l2cap_conn_req req;
cf6c2c0b
GP		 525
526 if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
527 conn->feat_mask)
528 && l2cap_pi(sk)->conf_state &
529 L2CAP_CONF_STATE2_DEVICE) {
530 tmp1 = kzalloc(sizeof(struct srej_list),
531 GFP_ATOMIC);
532 tmp1->sk = sk;
533 list_add_tail(&tmp1->list, &del.list);
534 bh_unlock_sock(sk);
535 continue;
536 }
537
b1235d79
MH		 538 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
539 req.psm = l2cap_pi(sk)->psm;
79d554a6 540
b1235d79 541 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 542 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
79d554a6 543
b1235d79 544 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4e8402a3 545 L2CAP_CONN_REQ, sizeof(req), &req);
b1235d79 546 }
79d554a6
MH		 547 } else if (sk->sk_state == BT_CONNECT2) {
548 struct l2cap_conn_rsp rsp;
549 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
550 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
551
2af6b9d5 552 if (l2cap_check_security(sk)) {
f66dc81f
MH		 553 if (bt_sk(sk)->defer_setup) {
554 struct sock *parent = bt_sk(sk)->parent;
555 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
556 rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
557 parent->sk_data_ready(parent, 0);
558
559 } else {
560 sk->sk_state = BT_CONFIG;
561 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
562 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
563 }
79d554a6
MH		 564 } else {
565 rsp.result = cpu_to_le16(L2CAP_CR_PEND);
566 rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
567 }
568
569 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
570 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4e8402a3
MH		 571 }
572
573 bh_unlock_sock(sk);
574 }
575
576 read_unlock(&l->lock);
cf6c2c0b
GP		 577
578 list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
579 bh_lock_sock(tmp1->sk);
580 __l2cap_sock_close(tmp1->sk, ECONNRESET);
581 bh_unlock_sock(tmp1->sk);
582 list_del(&tmp1->list);
583 kfree(tmp1);
584 }
4e8402a3
MH		 585}
586
587static void l2cap_conn_ready(struct l2cap_conn *conn)
588{
79d554a6
MH		 589 struct l2cap_chan_list *l = &conn->chan_list;
590 struct sock *sk;
4e8402a3 591
79d554a6 592 BT_DBG("conn %p", conn);
4e8402a3 593
79d554a6 594 read_lock(&l->lock);
4e8402a3 595
79d554a6
MH		 596 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
597 bh_lock_sock(sk);
4e8402a3 598
bd3c9e25
GP		 599 if (sk->sk_type != SOCK_SEQPACKET &&
600 sk->sk_type != SOCK_STREAM) {
79d554a6
MH		 601 l2cap_sock_clear_timer(sk);
602 sk->sk_state = BT_CONNECTED;
603 sk->sk_state_change(sk);
604 } else if (sk->sk_state == BT_CONNECT)
605 l2cap_do_start(sk);
4e8402a3 606
79d554a6 607 bh_unlock_sock(sk);
4e8402a3 608 }
79d554a6
MH		 609
610 read_unlock(&l->lock);
4e8402a3
MH		 611}
612
613/* Notify sockets that we cannot guaranty reliability anymore */
614static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
615{
616 struct l2cap_chan_list *l = &conn->chan_list;
617 struct sock *sk;
618
619 BT_DBG("conn %p", conn);
620
621 read_lock(&l->lock);
622
623 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2af6b9d5 624 if (l2cap_pi(sk)->force_reliable)
4e8402a3
MH		 625 sk->sk_err = err;
626 }
627
628 read_unlock(&l->lock);
629}
630
631static void l2cap_info_timeout(unsigned long arg)
632{
633 struct l2cap_conn *conn = (void *) arg;
634
984947dc 635 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 636 conn->info_ident = 0;
984947dc 637
4e8402a3
MH		 638 l2cap_conn_start(conn);
639}
640
1da177e4
LT		 641static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
642{
0139418c 643 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 644
0139418c 645 if (conn || status)
1da177e4
LT		 646 return conn;
647
0139418c
MH		 648 conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
649 if (!conn)
1da177e4 650 return NULL;
1da177e4
LT		 651
652 hcon->l2cap_data = conn;
653 conn->hcon = hcon;
654
0139418c
MH		 655 BT_DBG("hcon %p conn %p", hcon, conn);
656
1da177e4
LT		 657 conn->mtu = hcon->hdev->acl_mtu;
658 conn->src = &hcon->hdev->bdaddr;
659 conn->dst = &hcon->dst;
660
4e8402a3
MH		 661 conn->feat_mask = 0;
662
1da177e4
LT		 663 spin_lock_init(&conn->lock);
664 rwlock_init(&conn->chan_list.lock);
665
45054dc1
DY		 666 setup_timer(&conn->info_timer, l2cap_info_timeout,
667 (unsigned long) conn);
668
2950f21a
MH		 669 conn->disc_reason = 0x13;
670
1da177e4
LT		 671 return conn;
672}
673
0139418c 674static void l2cap_conn_del(struct hci_conn *hcon, int err)
1da177e4 675{
0139418c 676 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4
LT		 677 struct sock *sk;
678
0139418c
MH		 679 if (!conn)
680 return;
1da177e4
LT		 681
682 BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
683
7585b97a 684 kfree_skb(conn->rx_skb);
1da177e4
LT		 685
686 /* Kill channels */
687 while ((sk = conn->chan_list.head)) {
688 bh_lock_sock(sk);
689 l2cap_chan_del(sk, err);
690 bh_unlock_sock(sk);
691 l2cap_sock_kill(sk);
692 }
693
8e8440f5
DY		 694 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
695 del_timer_sync(&conn->info_timer);
3ab22731 696
1da177e4
LT		 697 hcon->l2cap_data = NULL;
698 kfree(conn);
1da177e4
LT		 699}
700
701static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
702{
703 struct l2cap_chan_list *l = &conn->chan_list;
fd1278d7 704 write_lock_bh(&l->lock);
1da177e4 705 __l2cap_chan_add(conn, sk, parent);
fd1278d7 706 write_unlock_bh(&l->lock);
1da177e4
LT		 707}
708
1da177e4 709/* ---- Socket interface ---- */
8e036fc3 710static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
1da177e4
LT		 711{
712 struct sock *sk;
713 struct hlist_node *node;
714 sk_for_each(sk, node, &l2cap_sk_list.head)
715 if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
716 goto found;
717 sk = NULL;
718found:
719 return sk;
720}
721
722/* Find socket with psm and source bdaddr.
723 * Returns closest match.
724 */
8e036fc3 725static struct sock *__l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 726{
727 struct sock *sk = NULL, *sk1 = NULL;
728 struct hlist_node *node;
729
730 sk_for_each(sk, node, &l2cap_sk_list.head) {
731 if (state && sk->sk_state != state)
732 continue;
733
734 if (l2cap_pi(sk)->psm == psm) {
735 /* Exact match. */
736 if (!bacmp(&bt_sk(sk)->src, src))
737 break;
738
739 /* Closest match */
740 if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
741 sk1 = sk;
742 }
743 }
744 return node ? sk : sk1;
745}
746
747/* Find socket with given address (psm, src).
748 * Returns locked socket */
8e036fc3 749static inline struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
1da177e4
LT		 750{
751 struct sock *s;
752 read_lock(&l2cap_sk_list.lock);
753 s = __l2cap_get_sock_by_psm(state, psm, src);
af05b30b
GP		 754 if (s)
755 bh_lock_sock(s);
1da177e4
LT		 756 read_unlock(&l2cap_sk_list.lock);
757 return s;
758}
759
760static void l2cap_sock_destruct(struct sock *sk)
761{
762 BT_DBG("sk %p", sk);
763
764 skb_queue_purge(&sk->sk_receive_queue);
765 skb_queue_purge(&sk->sk_write_queue);
766}
767
768static void l2cap_sock_cleanup_listen(struct sock *parent)
769{
770 struct sock *sk;
771
772 BT_DBG("parent %p", parent);
773
774 /* Close not yet accepted channels */
775 while ((sk = bt_accept_dequeue(parent, NULL)))
776 l2cap_sock_close(sk);
777
b1235d79 778 parent->sk_state = BT_CLOSED;
1da177e4
LT		 779 sock_set_flag(parent, SOCK_ZAPPED);
780}
781
782/* Kill socket (only if zapped and orphan)
783 * Must be called on unlocked socket.
784 */
785static void l2cap_sock_kill(struct sock *sk)
786{
787 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
788 return;
789
790 BT_DBG("sk %p state %d", sk, sk->sk_state);
791
792 /* Kill poor orphan */
793 bt_sock_unlink(&l2cap_sk_list, sk);
794 sock_set_flag(sk, SOCK_DEAD);
795 sock_put(sk);
796}
797
798static void __l2cap_sock_close(struct sock *sk, int reason)
799{
800 BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
801
802 switch (sk->sk_state) {
803 case BT_LISTEN:
804 l2cap_sock_cleanup_listen(sk);
805 break;
806
807 case BT_CONNECTED:
808 case BT_CONFIG:
bd3c9e25
GP		 809 if (sk->sk_type == SOCK_SEQPACKET ||
810 sk->sk_type == SOCK_STREAM) {
1da177e4 811 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1da177e4 812
1da177e4 813 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
9b108fc0 814 l2cap_send_disconn_req(conn, sk, reason);
b1235d79 815 } else
1da177e4 816 l2cap_chan_del(sk, reason);
1da177e4
LT		 817 break;
818
f66dc81f 819 case BT_CONNECT2:
bd3c9e25
GP		 820 if (sk->sk_type == SOCK_SEQPACKET ||
821 sk->sk_type == SOCK_STREAM) {
f66dc81f
MH		 822 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
823 struct l2cap_conn_rsp rsp;
824 __u16 result;
825
826 if (bt_sk(sk)->defer_setup)
827 result = L2CAP_CR_SEC_BLOCK;
828 else
829 result = L2CAP_CR_BAD_PSM;
830
831 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
832 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
833 rsp.result = cpu_to_le16(result);
834 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
835 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
836 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
837 } else
838 l2cap_chan_del(sk, reason);
839 break;
840
1da177e4
LT		 841 case BT_CONNECT:
842 case BT_DISCONN:
843 l2cap_chan_del(sk, reason);
844 break;
845
846 default:
847 sock_set_flag(sk, SOCK_ZAPPED);
848 break;
849 }
850}
851
852/* Must be called on unlocked socket. */
853static void l2cap_sock_close(struct sock *sk)
854{
855 l2cap_sock_clear_timer(sk);
856 lock_sock(sk);
857 __l2cap_sock_close(sk, ECONNRESET);
858 release_sock(sk);
859 l2cap_sock_kill(sk);
860}
861
862static void l2cap_sock_init(struct sock *sk, struct sock *parent)
863{
864 struct l2cap_pinfo *pi = l2cap_pi(sk);
865
866 BT_DBG("sk %p", sk);
867
868 if (parent) {
869 sk->sk_type = parent->sk_type;
f66dc81f
MH		 870 bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
871
1da177e4
LT		 872 pi->imtu = l2cap_pi(parent)->imtu;
873 pi->omtu = l2cap_pi(parent)->omtu;
85eb53c6 874 pi->conf_state = l2cap_pi(parent)->conf_state;
c6b03cf9
MH		 875 pi->mode = l2cap_pi(parent)->mode;
876 pi->fcs = l2cap_pi(parent)->fcs;
68d7f0ce 877 pi->max_tx = l2cap_pi(parent)->max_tx;
14b5aa71 878 pi->tx_win = l2cap_pi(parent)->tx_win;
2af6b9d5
MH		 879 pi->sec_level = l2cap_pi(parent)->sec_level;
880 pi->role_switch = l2cap_pi(parent)->role_switch;
881 pi->force_reliable = l2cap_pi(parent)->force_reliable;
1da177e4
LT		 882 } else {
883 pi->imtu = L2CAP_DEFAULT_MTU;
884 pi->omtu = 0;
85eb53c6 885 if (enable_ertm && sk->sk_type == SOCK_STREAM) {
bd3c9e25 886 pi->mode = L2CAP_MODE_ERTM;
85eb53c6
GP		 887 pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
888 } else {
bd3c9e25 889 pi->mode = L2CAP_MODE_BASIC;
85eb53c6 890 }
fd059b9b 891 pi->max_tx = L2CAP_DEFAULT_MAX_TX;
c6b03cf9 892 pi->fcs = L2CAP_FCS_CRC16;
fd059b9b 893 pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
2af6b9d5
MH		 894 pi->sec_level = BT_SECURITY_LOW;
895 pi->role_switch = 0;
896 pi->force_reliable = 0;
1da177e4
LT		 897 }
898
899 /* Default config options */
5dee9e7c 900 pi->conf_len = 0;
1da177e4 901 pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
45054dc1
DY		 902 skb_queue_head_init(TX_QUEUE(sk));
903 skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 904 skb_queue_head_init(BUSY_QUEUE(sk));
45054dc1 905 INIT_LIST_HEAD(SREJ_LIST(sk));
1da177e4
LT		 906}
907
908static struct proto l2cap_proto = {
909 .name = "L2CAP",
910 .owner = THIS_MODULE,
911 .obj_size = sizeof(struct l2cap_pinfo)
912};
913
1b8d7ae4 914static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
1da177e4
LT		 915{
916 struct sock *sk;
917
6257ff21 918 sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
1da177e4
LT		 919 if (!sk)
920 return NULL;
921
922 sock_init_data(sock, sk);
923 INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
924
925 sk->sk_destruct = l2cap_sock_destruct;
4e8402a3 926 sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
1da177e4
LT		 927
928 sock_reset_flag(sk, SOCK_ZAPPED);
929
930 sk->sk_protocol = proto;
b1235d79 931 sk->sk_state = BT_OPEN;
1da177e4 932
b1235d79 933 setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
1da177e4
LT		 934
935 bt_sock_link(&l2cap_sk_list, sk);
936 return sk;
937}
938
3f378b68
EP		 939static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
940 int kern)
1da177e4
LT		 941{
942 struct sock *sk;
943
944 BT_DBG("sock %p", sock);
945
946 sock->state = SS_UNCONNECTED;
947
bd3c9e25 948 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
1da177e4
LT		 949 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
950 return -ESOCKTNOSUPPORT;
951
c84b3268 952 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
1da177e4
LT		 953 return -EPERM;
954
955 sock->ops = &l2cap_sock_ops;
956
1b8d7ae4 957 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
1da177e4
LT		 958 if (!sk)
959 return -ENOMEM;
960
961 l2cap_sock_init(sk, NULL);
962 return 0;
963}
964
f29972de 965static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
1da177e4 966{
1da177e4 967 struct sock *sk = sock->sk;
f29972de
MH		 968 struct sockaddr_l2 la;
969 int len, err = 0;
1da177e4 970
f29972de 971 BT_DBG("sk %p", sk);
1da177e4
LT		 972
973 if (!addr || addr->sa_family != AF_BLUETOOTH)
974 return -EINVAL;
975
f29972de
MH		 976 memset(&la, 0, sizeof(la));
977 len = min_t(unsigned int, sizeof(la), alen);
978 memcpy(&la, addr, len);
979
2a517ca6
MH		 980 if (la.l2_cid)
981 return -EINVAL;
982
1da177e4
LT		 983 lock_sock(sk);
984
985 if (sk->sk_state != BT_OPEN) {
986 err = -EBADFD;
987 goto done;
988 }
989
b4324b5d 990 if (la.l2_psm && __le16_to_cpu(la.l2_psm) < 0x1001 &&
847641d7
MH		 991 !capable(CAP_NET_BIND_SERVICE)) {
992 err = -EACCES;
993 goto done;
994 }
8e87d142 995
1da177e4
LT		 996 write_lock_bh(&l2cap_sk_list.lock);
997
f29972de 998 if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
1da177e4
LT		 999 err = -EADDRINUSE;
1000 } else {
1001 /* Save source address */
f29972de
MH		 1002 bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
1003 l2cap_pi(sk)->psm = la.l2_psm;
1004 l2cap_pi(sk)->sport = la.l2_psm;
1da177e4 1005 sk->sk_state = BT_BOUND;
2af6b9d5 1006
b4324b5d
MH		 1007 if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
1008 __le16_to_cpu(la.l2_psm) == 0x0003)
2af6b9d5 1009 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
1da177e4
LT		 1010 }
1011
1012 write_unlock_bh(&l2cap_sk_list.lock);
1013
1014done:
1015 release_sock(sk);
1016 return err;
1017}
1018
1019static int l2cap_do_connect(struct sock *sk)
1020{
1021 bdaddr_t *src = &bt_sk(sk)->src;
1022 bdaddr_t *dst = &bt_sk(sk)->dst;
1023 struct l2cap_conn *conn;
1024 struct hci_conn *hcon;
1025 struct hci_dev *hdev;
09ab6f4c 1026 __u8 auth_type;
44d0e48e 1027 int err;
1da177e4 1028
f29972de
MH		 1029 BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
1030 l2cap_pi(sk)->psm);
1da177e4 1031
af05b30b
GP		 1032 hdev = hci_get_route(dst, src);
1033 if (!hdev)
1da177e4
LT		 1034 return -EHOSTUNREACH;
1035
1036 hci_dev_lock_bh(hdev);
1037
1038 err = -ENOMEM;
1039
8c1b2355 1040 if (sk->sk_type == SOCK_RAW) {
2af6b9d5
MH		 1041 switch (l2cap_pi(sk)->sec_level) {
1042 case BT_SECURITY_HIGH:
8c1b2355 1043 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2af6b9d5
MH		 1044 break;
1045 case BT_SECURITY_MEDIUM:
8c1b2355 1046 auth_type = HCI_AT_DEDICATED_BONDING;
2af6b9d5
MH		 1047 break;
1048 default:
09ab6f4c 1049 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1050 break;
1051 }
8c1b2355 1052 } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
2af6b9d5 1053 if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
8c1b2355 1054 auth_type = HCI_AT_NO_BONDING_MITM;
09ab6f4c 1055 else
8c1b2355 1056 auth_type = HCI_AT_NO_BONDING;
435fef20
MH		 1057
1058 if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
1059 l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
8c1b2355 1060 } else {
2af6b9d5
MH		 1061 switch (l2cap_pi(sk)->sec_level) {
1062 case BT_SECURITY_HIGH:
8c1b2355 1063 auth_type = HCI_AT_GENERAL_BONDING_MITM;
2af6b9d5
MH		 1064 break;
1065 case BT_SECURITY_MEDIUM:
09ab6f4c 1066 auth_type = HCI_AT_GENERAL_BONDING;
2af6b9d5
MH		 1067 break;
1068 default:
8c1b2355 1069 auth_type = HCI_AT_NO_BONDING;
2af6b9d5
MH		 1070 break;
1071 }
09ab6f4c
MH		 1072 }
1073
2af6b9d5
MH		 1074 hcon = hci_connect(hdev, ACL_LINK, dst,
1075 l2cap_pi(sk)->sec_level, auth_type);
1da177e4
LT		 1076 if (!hcon)
1077 goto done;
1078
1079 conn = l2cap_conn_add(hcon, 0);
1080 if (!conn) {
1081 hci_conn_put(hcon);
1082 goto done;
1083 }
1084
1085 err = 0;
1086
1087 /* Update source addr of the socket */
1088 bacpy(src, conn->src);
1089
1090 l2cap_chan_add(conn, sk, NULL);
1091
1092 sk->sk_state = BT_CONNECT;
1093 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
1094
1095 if (hcon->state == BT_CONNECTED) {
bd3c9e25
GP		 1096 if (sk->sk_type != SOCK_SEQPACKET &&
1097 sk->sk_type != SOCK_STREAM) {
1da177e4
LT		 1098 l2cap_sock_clear_timer(sk);
1099 sk->sk_state = BT_CONNECTED;
79d554a6
MH		 1100 } else
1101 l2cap_do_start(sk);
1da177e4
LT		 1102 }
1103
1104done:
1105 hci_dev_unlock_bh(hdev);
1106 hci_dev_put(hdev);
1107 return err;
1108}
1109
1110static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
1111{
1da177e4 1112 struct sock *sk = sock->sk;
f29972de
MH		 1113 struct sockaddr_l2 la;
1114 int len, err = 0;
1da177e4 1115
1da177e4
LT		 1116 BT_DBG("sk %p", sk);
1117
6503d961
CG		 1118 if (!addr || alen < sizeof(addr->sa_family) ||
1119 addr->sa_family != AF_BLUETOOTH)
2a517ca6 1120 return -EINVAL;
1da177e4 1121
f29972de
MH		 1122 memset(&la, 0, sizeof(la));
1123 len = min_t(unsigned int, sizeof(la), alen);
1124 memcpy(&la, addr, len);
1125
2a517ca6
MH		 1126 if (la.l2_cid)
1127 return -EINVAL;
1128
1129 lock_sock(sk);
1130
bd3c9e25
GP		 1131 if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
1132 && !la.l2_psm) {
1da177e4
LT		 1133 err = -EINVAL;
1134 goto done;
1135 }
1136
c6b03cf9
MH		 1137 switch (l2cap_pi(sk)->mode) {
1138 case L2CAP_MODE_BASIC:
1139 break;
1140 case L2CAP_MODE_ERTM:
f2fcfcd6 1141 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1142 if (enable_ertm)
1143 break;
1144 /* fall through */
1145 default:
1146 err = -ENOTSUPP;
1147 goto done;
1148 }
1149
af05b30b 1150 switch (sk->sk_state) {
1da177e4
LT		 1151 case BT_CONNECT:
1152 case BT_CONNECT2:
1153 case BT_CONFIG:
1154 /* Already connecting */
1155 goto wait;
1156
1157 case BT_CONNECTED:
1158 /* Already connected */
1159 goto done;
1160
1161 case BT_OPEN:
1162 case BT_BOUND:
1163 /* Can connect */
1164 break;
1165
1166 default:
1167 err = -EBADFD;
1168 goto done;
1169 }
1170
1171 /* Set destination address and psm */
f29972de
MH		 1172 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
1173 l2cap_pi(sk)->psm = la.l2_psm;
1da177e4 1174
af05b30b
GP		 1175 err = l2cap_do_connect(sk);
1176 if (err)
1da177e4
LT		 1177 goto done;
1178
1179wait:
1180 err = bt_sock_wait_state(sk, BT_CONNECTED,
1181 sock_sndtimeo(sk, flags & O_NONBLOCK));
1182done:
1183 release_sock(sk);
1184 return err;
1185}
1186
1187static int l2cap_sock_listen(struct socket *sock, int backlog)
1188{
1189 struct sock *sk = sock->sk;
1190 int err = 0;
1191
1192 BT_DBG("sk %p backlog %d", sk, backlog);
1193
1194 lock_sock(sk);
1195
bd3c9e25
GP		 1196 if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
1197 || sk->sk_state != BT_BOUND) {
1da177e4
LT		 1198 err = -EBADFD;
1199 goto done;
1200 }
1201
c6b03cf9
MH		 1202 switch (l2cap_pi(sk)->mode) {
1203 case L2CAP_MODE_BASIC:
1204 break;
1205 case L2CAP_MODE_ERTM:
f2fcfcd6 1206 case L2CAP_MODE_STREAMING:
c6b03cf9
MH		 1207 if (enable_ertm)
1208 break;
1209 /* fall through */
1210 default:
1211 err = -ENOTSUPP;
1212 goto done;
1213 }
1214
1da177e4
LT		 1215 if (!l2cap_pi(sk)->psm) {
1216 bdaddr_t *src = &bt_sk(sk)->src;
1217 u16 psm;
1218
1219 err = -EINVAL;
1220
1221 write_lock_bh(&l2cap_sk_list.lock);
1222
1223 for (psm = 0x1001; psm < 0x1100; psm += 2)
b4324b5d
MH		 1224 if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
1225 l2cap_pi(sk)->psm = cpu_to_le16(psm);
1226 l2cap_pi(sk)->sport = cpu_to_le16(psm);
1da177e4
LT		 1227 err = 0;
1228 break;
1229 }
1230
1231 write_unlock_bh(&l2cap_sk_list.lock);
1232
1233 if (err < 0)
1234 goto done;
1235 }
1236
1237 sk->sk_max_ack_backlog = backlog;
1238 sk->sk_ack_backlog = 0;
1239 sk->sk_state = BT_LISTEN;
1240
1241done:
1242 release_sock(sk);
1243 return err;
1244}
1245
1246static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
1247{
1248 DECLARE_WAITQUEUE(wait, current);
1249 struct sock *sk = sock->sk, *nsk;
1250 long timeo;
1251 int err = 0;
1252
fcc70d5f 1253 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1254
1255 if (sk->sk_state != BT_LISTEN) {
1256 err = -EBADFD;
1257 goto done;
1258 }
1259
1260 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
1261
1262 BT_DBG("sk %p timeo %ld", sk, timeo);
1263
1264 /* Wait for an incoming connection. (wake-one). */
aa395145 1265 add_wait_queue_exclusive(sk_sleep(sk), &wait);
1da177e4
LT		 1266 while (!(nsk = bt_accept_dequeue(sk, newsock))) {
1267 set_current_state(TASK_INTERRUPTIBLE);
1268 if (!timeo) {
1269 err = -EAGAIN;
1270 break;
1271 }
1272
1273 release_sock(sk);
1274 timeo = schedule_timeout(timeo);
fcc70d5f 1275 lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
1da177e4
LT		 1276
1277 if (sk->sk_state != BT_LISTEN) {
1278 err = -EBADFD;
1279 break;
1280 }
1281
1282 if (signal_pending(current)) {
1283 err = sock_intr_errno(timeo);
1284 break;
1285 }
1286 }
1287 set_current_state(TASK_RUNNING);
aa395145 1288 remove_wait_queue(sk_sleep(sk), &wait);
1da177e4
LT		 1289
1290 if (err)
1291 goto done;
1292
1293 newsock->state = SS_CONNECTED;
1294
1295 BT_DBG("new socket %p", nsk);
1296
1297done:
1298 release_sock(sk);
1299 return err;
1300}
1301
1302static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
1303{
1304 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
1305 struct sock *sk = sock->sk;
1306
1307 BT_DBG("sock %p, sk %p", sock, sk);
1308
1309 addr->sa_family = AF_BLUETOOTH;
1310 *len = sizeof(struct sockaddr_l2);
1311
f29972de
MH		 1312 if (peer) {
1313 la->l2_psm = l2cap_pi(sk)->psm;
1da177e4 1314 bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
b4324b5d 1315 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
f29972de
MH		 1316 } else {
1317 la->l2_psm = l2cap_pi(sk)->sport;
1da177e4 1318 bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
b4324b5d 1319 la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
f29972de 1320 }
1da177e4 1321
1da177e4
LT		 1322 return 0;
1323}
1324
6161c038
GP		 1325static int __l2cap_wait_ack(struct sock *sk)
1326{
1327 DECLARE_WAITQUEUE(wait, current);
1328 int err = 0;
1329 int timeo = HZ/5;
1330
2b0b05dd 1331 add_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1332 while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
1333 set_current_state(TASK_INTERRUPTIBLE);
1334
1335 if (!timeo)
1336 timeo = HZ/5;
1337
1338 if (signal_pending(current)) {
1339 err = sock_intr_errno(timeo);
1340 break;
1341 }
1342
1343 release_sock(sk);
1344 timeo = schedule_timeout(timeo);
1345 lock_sock(sk);
1346
1347 err = sock_error(sk);
1348 if (err)
1349 break;
1350 }
1351 set_current_state(TASK_RUNNING);
2b0b05dd 1352 remove_wait_queue(sk_sleep(sk), &wait);
6161c038
GP		 1353 return err;
1354}
1355
e90bac06
GP		 1356static void l2cap_monitor_timeout(unsigned long arg)
1357{
1358 struct sock *sk = (void *) arg;
e90bac06 1359
0e98958d
GP		 1360 BT_DBG("sk %p", sk);
1361
e686219a 1362 bh_lock_sock(sk);
e90bac06 1363 if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
9b108fc0 1364 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
b13f5860 1365 bh_unlock_sock(sk);
e90bac06
GP		 1366 return;
1367 }
1368
1369 l2cap_pi(sk)->retry_count++;
1370 __mod_monitor_timer();
1371
a2e12a2a 1372 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1373 bh_unlock_sock(sk);
e90bac06
GP		 1374}
1375
1376static void l2cap_retrans_timeout(unsigned long arg)
1377{
1378 struct sock *sk = (void *) arg;
e90bac06 1379
0e98958d
GP		 1380 BT_DBG("sk %p", sk);
1381
e686219a 1382 bh_lock_sock(sk);
e90bac06
GP		 1383 l2cap_pi(sk)->retry_count = 1;
1384 __mod_monitor_timer();
1385
1386 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
1387
a2e12a2a 1388 l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
e686219a 1389 bh_unlock_sock(sk);
e90bac06
GP		 1390}
1391
1c2acffb 1392static void l2cap_drop_acked_frames(struct sock *sk)
1da177e4 1393{
1c2acffb 1394 struct sk_buff *skb;
1da177e4 1395
812e737e
GP		 1396 while ((skb = skb_peek(TX_QUEUE(sk))) &&
1397 l2cap_pi(sk)->unacked_frames) {
1c2acffb
GP		 1398 if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
1399 break;
1da177e4 1400
1c2acffb
GP		 1401 skb = skb_dequeue(TX_QUEUE(sk));
1402 kfree_skb(skb);
1da177e4 1403
1c2acffb
GP		 1404 l2cap_pi(sk)->unacked_frames--;
1405 }
1da177e4 1406
e90bac06
GP		 1407 if (!l2cap_pi(sk)->unacked_frames)
1408 del_timer(&l2cap_pi(sk)->retrans_timer);
1c2acffb 1409}
1da177e4 1410
9a9c6a34 1411static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
1c2acffb
GP		 1412{
1413 struct l2cap_pinfo *pi = l2cap_pi(sk);
1c2acffb
GP		 1414
1415 BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
1da177e4 1416
9a9c6a34 1417 hci_send_acl(pi->conn->hcon, skb, 0);
1c2acffb
GP		 1418}
1419
6840ed07
GP		 1420static int l2cap_streaming_send(struct sock *sk)
1421{
1422 struct sk_buff *skb, *tx_skb;
1423 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1424 u16 control, fcs;
6840ed07
GP		 1425
1426 while ((skb = sk->sk_send_head)) {
1427 tx_skb = skb_clone(skb, GFP_ATOMIC);
1428
1429 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
1430 control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
1431 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1432
e8235c6b 1433 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1434 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1435 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1436 }
1437
9a9c6a34 1438 l2cap_do_send(sk, tx_skb);
6840ed07
GP		 1439
1440 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1441
1442 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1443 sk->sk_send_head = NULL;
1444 else
1445 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
1446
1447 skb = skb_dequeue(TX_QUEUE(sk));
1448 kfree_skb(skb);
1449 }
1450 return 0;
1451}
1452
dfc909be 1453static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
8f17154f
GP		 1454{
1455 struct l2cap_pinfo *pi = l2cap_pi(sk);
1456 struct sk_buff *skb, *tx_skb;
1457 u16 control, fcs;
8f17154f
GP		 1458
1459 skb = skb_peek(TX_QUEUE(sk));
f11d676d
GP		 1460 if (!skb)
1461 return;
8f17154f 1462
f11d676d
GP		 1463 do {
1464 if (bt_cb(skb)->tx_seq == tx_seq)
8f17154f 1465 break;
8f17154f 1466
f11d676d
GP		 1467 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1468 return;
8f17154f 1469
f11d676d 1470 } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
8f17154f 1471
f11d676d
GP		 1472 if (pi->remote_max_tx &&
1473 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1474 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
f11d676d
GP		 1475 return;
1476 }
1477
1478 tx_skb = skb_clone(skb, GFP_ATOMIC);
1479 bt_cb(skb)->retries++;
1480 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
3cb123d1
GP		 1481
1482 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1483 control |= L2CAP_CTRL_FINAL;
1484 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1485 }
95ffa978 1486
f11d676d
GP		 1487 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1488 | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
3cb123d1 1489
f11d676d
GP		 1490 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1491
1492 if (pi->fcs == L2CAP_FCS_CRC16) {
1493 fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
1494 put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
1495 }
1496
1497 l2cap_do_send(sk, tx_skb);
8f17154f
GP		 1498}
1499
1c2acffb
GP		 1500static int l2cap_ertm_send(struct sock *sk)
1501{
1502 struct sk_buff *skb, *tx_skb;
1503 struct l2cap_pinfo *pi = l2cap_pi(sk);
fcc203c3 1504 u16 control, fcs;
9a9c6a34 1505 int nsent = 0;
1c2acffb 1506
c13ffa62
GP		 1507 if (sk->sk_state != BT_CONNECTED)
1508 return -ENOTCONN;
e90bac06 1509
6e2b6722 1510 while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
1c2acffb 1511
e90bac06
GP		 1512 if (pi->remote_max_tx &&
1513 bt_cb(skb)->retries == pi->remote_max_tx) {
9b108fc0 1514 l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
e90bac06
GP		 1515 break;
1516 }
1517
e420aba3
AE		 1518 tx_skb = skb_clone(skb, GFP_ATOMIC);
1519
e90bac06
GP		 1520 bt_cb(skb)->retries++;
1521
1c2acffb 1522 control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
95ffa978
GP		 1523 control &= L2CAP_CTRL_SAR;
1524
d5392c8f
GP		 1525 if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
1526 control |= L2CAP_CTRL_FINAL;
1527 pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
1528 }
9f121a5a 1529 control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
1c2acffb
GP		 1530 | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
1531 put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
1532
e90bac06 1533
e8235c6b 1534 if (pi->fcs == L2CAP_FCS_CRC16) {
fcc203c3
GP		 1535 fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
1536 put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
1537 }
1538
9a9c6a34
GP		 1539 l2cap_do_send(sk, tx_skb);
1540
e90bac06 1541 __mod_retrans_timer();
1c2acffb
GP		 1542
1543 bt_cb(skb)->tx_seq = pi->next_tx_seq;
1544 pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
1545
1546 pi->unacked_frames++;
d5392c8f 1547 pi->frames_sent++;
1c2acffb
GP		 1548
1549 if (skb_queue_is_last(TX_QUEUE(sk), skb))
1550 sk->sk_send_head = NULL;
1551 else
1552 sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
9e917af1
GP		 1553
1554 nsent++;
1c2acffb
GP		 1555 }
1556
9e917af1
GP		 1557 return nsent;
1558}
1559
dfc909be
GP		 1560static int l2cap_retransmit_frames(struct sock *sk)
1561{
1562 struct l2cap_pinfo *pi = l2cap_pi(sk);
1563 int ret;
1564
dfc909be
GP		 1565 if (!skb_queue_empty(TX_QUEUE(sk)))
1566 sk->sk_send_head = TX_QUEUE(sk)->next;
1567
1568 pi->next_tx_seq = pi->expected_ack_seq;
1569 ret = l2cap_ertm_send(sk);
dfc909be
GP		 1570 return ret;
1571}
1572
9a9c6a34 1573static void l2cap_send_ack(struct l2cap_pinfo *pi)
9e917af1
GP		 1574{
1575 struct sock *sk = (struct sock *)pi;
1576 u16 control = 0;
1577
1578 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1579
1580 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
1581 control |= L2CAP_SUPER_RCV_NOT_READY;
1890d36b 1582 pi->conn_state |= L2CAP_CONN_RNR_SENT;
9a9c6a34
GP		 1583 l2cap_send_sframe(pi, control);
1584 return;
9e917af1 1585 }
dfc909be 1586
e0f66218 1587 if (l2cap_ertm_send(sk) > 0)
dfc909be
GP		 1588 return;
1589
1590 control |= L2CAP_SUPER_RCV_READY;
1591 l2cap_send_sframe(pi, control);
1c2acffb
GP		 1592}
1593
9a9c6a34 1594static void l2cap_send_srejtail(struct sock *sk)
99b0d4b7
GP		 1595{
1596 struct srej_list *tail;
1597 u16 control;
1598
1599 control = L2CAP_SUPER_SELECT_REJECT;
1600 control |= L2CAP_CTRL_FINAL;
1601
1602 tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
1603 control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
1604
1605 l2cap_send_sframe(l2cap_pi(sk), control);
99b0d4b7
GP		 1606}
1607
1c2acffb
GP		 1608static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
1609{
1610 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1611 struct sk_buff **frag;
1612 int err, sent = 0;
1da177e4 1613
59203a21 1614 if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
1c2acffb 1615 return -EFAULT;
1da177e4
LT		 1616
1617 sent += count;
1618 len -= count;
1619
1620 /* Continuation fragments (no L2CAP header) */
1621 frag = &skb_shinfo(skb)->frag_list;
1622 while (len) {
1623 count = min_t(unsigned int, conn->mtu, len);
1624
1625 *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
1626 if (!*frag)
1c2acffb
GP		 1627 return -EFAULT;
1628 if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
1629 return -EFAULT;
1da177e4
LT		 1630
1631 sent += count;
1632 len -= count;
1633
1634 frag = &(*frag)->next;
1635 }
1da177e4
LT		 1636
1637 return sent;
1c2acffb 1638}
1da177e4 1639
1c2acffb
GP		 1640static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1641{
1642 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1643 struct sk_buff *skb;
1644 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1645 struct l2cap_hdr *lh;
1646
1647 BT_DBG("sk %p len %d", sk, (int)len);
1648
1649 count = min_t(unsigned int, (conn->mtu - hlen), len);
1650 skb = bt_skb_send_alloc(sk, count + hlen,
1651 msg->msg_flags & MSG_DONTWAIT, &err);
1652 if (!skb)
1653 return ERR_PTR(-ENOMEM);
1654
1655 /* Create L2CAP header */
1656 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1657 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1658 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1659 put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
1660
1661 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1662 if (unlikely(err < 0)) {
1663 kfree_skb(skb);
1664 return ERR_PTR(err);
1665 }
1666 return skb;
1667}
1668
1669static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
1670{
1671 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1672 struct sk_buff *skb;
1673 int err, count, hlen = L2CAP_HDR_SIZE;
1674 struct l2cap_hdr *lh;
1675
1676 BT_DBG("sk %p len %d", sk, (int)len);
1677
1678 count = min_t(unsigned int, (conn->mtu - hlen), len);
1679 skb = bt_skb_send_alloc(sk, count + hlen,
1680 msg->msg_flags & MSG_DONTWAIT, &err);
1681 if (!skb)
1682 return ERR_PTR(-ENOMEM);
1683
1684 /* Create L2CAP header */
1685 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1686 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1687 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1688
1689 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1690 if (unlikely(err < 0)) {
1691 kfree_skb(skb);
1692 return ERR_PTR(err);
1693 }
1694 return skb;
1695}
1696
6840ed07 1697static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
1c2acffb
GP		 1698{
1699 struct l2cap_conn *conn = l2cap_pi(sk)->conn;
1700 struct sk_buff *skb;
1701 int err, count, hlen = L2CAP_HDR_SIZE + 2;
1702 struct l2cap_hdr *lh;
1703
1704 BT_DBG("sk %p len %d", sk, (int)len);
1705
0ee0d208
GP		 1706 if (!conn)
1707 return ERR_PTR(-ENOTCONN);
1708
c74e560c
GP		 1709 if (sdulen)
1710 hlen += 2;
1711
fcc203c3
GP		 1712 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1713 hlen += 2;
1714
1c2acffb
GP		 1715 count = min_t(unsigned int, (conn->mtu - hlen), len);
1716 skb = bt_skb_send_alloc(sk, count + hlen,
1717 msg->msg_flags & MSG_DONTWAIT, &err);
1718 if (!skb)
1719 return ERR_PTR(-ENOMEM);
1720
1721 /* Create L2CAP header */
1722 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
1723 lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
1724 lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
1725 put_unaligned_le16(control, skb_put(skb, 2));
c74e560c
GP		 1726 if (sdulen)
1727 put_unaligned_le16(sdulen, skb_put(skb, 2));
1c2acffb
GP		 1728
1729 err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
1730 if (unlikely(err < 0)) {
1731 kfree_skb(skb);
1732 return ERR_PTR(err);
1733 }
e90bac06 1734
fcc203c3
GP		 1735 if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
1736 put_unaligned_le16(0, skb_put(skb, 2));
1737
e90bac06 1738 bt_cb(skb)->retries = 0;
1c2acffb 1739 return skb;
1da177e4
LT		 1740}
1741
c74e560c
GP		 1742static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
1743{
1744 struct l2cap_pinfo *pi = l2cap_pi(sk);
1745 struct sk_buff *skb;
1746 struct sk_buff_head sar_queue;
1747 u16 control;
1748 size_t size = 0;
1749
ff12fd64 1750 skb_queue_head_init(&sar_queue);
c74e560c 1751 control = L2CAP_SDU_START;
1c762159 1752 skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
c74e560c
GP		 1753 if (IS_ERR(skb))
1754 return PTR_ERR(skb);
1755
1756 __skb_queue_tail(&sar_queue, skb);
1c762159
GP		 1757 len -= pi->remote_mps;
1758 size += pi->remote_mps;
c74e560c
GP		 1759
1760 while (len > 0) {
1761 size_t buflen;
1762
1c762159 1763 if (len > pi->remote_mps) {
44651b85 1764 control = L2CAP_SDU_CONTINUE;
1c762159 1765 buflen = pi->remote_mps;
c74e560c 1766 } else {
44651b85 1767 control = L2CAP_SDU_END;
c74e560c
GP		 1768 buflen = len;
1769 }
1770
6840ed07 1771 skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
c74e560c
GP		 1772 if (IS_ERR(skb)) {
1773 skb_queue_purge(&sar_queue);
1774 return PTR_ERR(skb);
1775 }
1776
1777 __skb_queue_tail(&sar_queue, skb);
1778 len -= buflen;
1779 size += buflen;
c74e560c
GP		 1780 }
1781 skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
1782 if (sk->sk_send_head == NULL)
1783 sk->sk_send_head = sar_queue.next;
1784
1785 return size;
1786}
1787
1da177e4
LT		 1788static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
1789{
1790 struct sock *sk = sock->sk;
1c2acffb
GP		 1791 struct l2cap_pinfo *pi = l2cap_pi(sk);
1792 struct sk_buff *skb;
1793 u16 control;
1794 int err;
1da177e4
LT		 1795
1796 BT_DBG("sock %p, sk %p", sock, sk);
1797
c1cbe4b7
BL		 1798 err = sock_error(sk);
1799 if (err)
1800 return err;
1da177e4
LT		 1801
1802 if (msg->msg_flags & MSG_OOB)
1803 return -EOPNOTSUPP;
1804
1da177e4
LT		 1805 lock_sock(sk);
1806
1c2acffb 1807 if (sk->sk_state != BT_CONNECTED) {
1da177e4 1808 err = -ENOTCONN;
1c2acffb
GP		 1809 goto done;
1810 }
1da177e4 1811
1c2acffb
GP		 1812 /* Connectionless channel */
1813 if (sk->sk_type == SOCK_DGRAM) {
1814 skb = l2cap_create_connless_pdu(sk, msg, len);
9a9c6a34 1815 if (IS_ERR(skb)) {
477fffb0 1816 err = PTR_ERR(skb);
9a9c6a34
GP		 1817 } else {
1818 l2cap_do_send(sk, skb);
1819 err = len;
1820 }
1c2acffb
GP		 1821 goto done;
1822 }
1823
1824 switch (pi->mode) {
1825 case L2CAP_MODE_BASIC:
c69163e9
GP		 1826 /* Check outgoing MTU */
1827 if (len > pi->omtu) {
1828 err = -EINVAL;
1829 goto done;
1830 }
1831
1c2acffb
GP		 1832 /* Create a basic PDU */
1833 skb = l2cap_create_basic_pdu(sk, msg, len);
1834 if (IS_ERR(skb)) {
1835 err = PTR_ERR(skb);
1836 goto done;
1837 }
1838
9a9c6a34
GP		 1839 l2cap_do_send(sk, skb);
1840 err = len;
1c2acffb
GP		 1841 break;
1842
1843 case L2CAP_MODE_ERTM:
6840ed07 1844 case L2CAP_MODE_STREAMING:
1c2acffb 1845 /* Entire SDU fits into one PDU */
1c762159 1846 if (len <= pi->remote_mps) {
1c2acffb 1847 control = L2CAP_SDU_UNSEGMENTED;
6840ed07 1848 skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
1c2acffb
GP		 1849 if (IS_ERR(skb)) {
1850 err = PTR_ERR(skb);
1851 goto done;
1852 }
c74e560c 1853 __skb_queue_tail(TX_QUEUE(sk), skb);
dfc909be 1854
c74e560c
GP		 1855 if (sk->sk_send_head == NULL)
1856 sk->sk_send_head = skb;
dfc909be 1857
1c2acffb 1858 } else {
c74e560c
GP		 1859 /* Segment SDU into multiples PDUs */
1860 err = l2cap_sar_segment_sdu(sk, msg, len);
1861 if (err < 0)
1862 goto done;
1c2acffb 1863 }
1c2acffb 1864
dfc909be 1865 if (pi->mode == L2CAP_MODE_STREAMING) {
6840ed07 1866 err = l2cap_streaming_send(sk);
dfc909be 1867 } else {
6e2b6722
GP		 1868 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
1869 pi->conn_state && L2CAP_CONN_WAIT_F) {
1870 err = len;
1871 break;
1872 }
6840ed07 1873 err = l2cap_ertm_send(sk);
dfc909be 1874 }
6840ed07 1875
9e917af1 1876 if (err >= 0)
1c2acffb
GP		 1877 err = len;
1878 break;
1879
1880 default:
1881 BT_DBG("bad state %1.1x", pi->mode);
1882 err = -EINVAL;
1883 }
1884
1885done:
1da177e4
LT		 1886 release_sock(sk);
1887 return err;
1888}
1889
f66dc81f
MH		 1890static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
1891{
1892 struct sock *sk = sock->sk;
1893
1894 lock_sock(sk);
1895
1896 if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
1897 struct l2cap_conn_rsp rsp;
1898
1899 sk->sk_state = BT_CONFIG;
1900
1901 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1902 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
1903 rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
1904 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
1905 l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
1906 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
1907
1908 release_sock(sk);
1909 return 0;
1910 }
1911
1912 release_sock(sk);
1913
1914 return bt_sock_recvmsg(iocb, sock, msg, len, flags);
1915}
1916
b7058842 1917static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
1da177e4
LT		 1918{
1919 struct sock *sk = sock->sk;
1920 struct l2cap_options opts;
f29972de 1921 int len, err = 0;
1da177e4
LT		 1922 u32 opt;
1923
1924 BT_DBG("sk %p", sk);
1925
1926 lock_sock(sk);
1927
1928 switch (optname) {
1929 case L2CAP_OPTIONS:
0878b666
MH		 1930 opts.imtu = l2cap_pi(sk)->imtu;
1931 opts.omtu = l2cap_pi(sk)->omtu;
1932 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 1933 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 1934 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 1935 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 1936 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
0878b666 1937
1da177e4
LT		 1938 len = min_t(unsigned int, sizeof(opts), optlen);
1939 if (copy_from_user((char *) &opts, optval, len)) {
1940 err = -EFAULT;
1941 break;
1942 }
0878b666 1943
45d65c46
GP		 1944 if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
1945 err = -EINVAL;
1946 break;
1947 }
1948
0041ecfa
JPRV		 1949 l2cap_pi(sk)->mode = opts.mode;
1950 switch (l2cap_pi(sk)->mode) {
1951 case L2CAP_MODE_BASIC:
85eb53c6 1952 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
0041ecfa
JPRV		 1953 break;
1954 case L2CAP_MODE_ERTM:
1955 case L2CAP_MODE_STREAMING:
1956 if (enable_ertm)
1957 break;
1958 /* fall through */
1959 default:
1960 err = -EINVAL;
1961 break;
1962 }
1963
c6b03cf9
MH		 1964 l2cap_pi(sk)->imtu = opts.imtu;
1965 l2cap_pi(sk)->omtu = opts.omtu;
fcc203c3 1966 l2cap_pi(sk)->fcs = opts.fcs;
68d7f0ce 1967 l2cap_pi(sk)->max_tx = opts.max_tx;
14b5aa71 1968 l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
1da177e4
LT		 1969 break;
1970
1971 case L2CAP_LM:
1972 if (get_user(opt, (u32 __user *) optval)) {
1973 err = -EFAULT;
1974 break;
1975 }
1976
2af6b9d5
MH		 1977 if (opt & L2CAP_LM_AUTH)
1978 l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
1979 if (opt & L2CAP_LM_ENCRYPT)
1980 l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
1981 if (opt & L2CAP_LM_SECURE)
1982 l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
1983
1984 l2cap_pi(sk)->role_switch = (opt & L2CAP_LM_MASTER);
1985 l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
1da177e4
LT		 1986 break;
1987
1988 default:
1989 err = -ENOPROTOOPT;
1990 break;
1991 }
1992
1993 release_sock(sk);
1994 return err;
1995}
1996
b7058842 1997static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
d58daf42
MH		 1998{
1999 struct sock *sk = sock->sk;
2af6b9d5
MH		 2000 struct bt_security sec;
2001 int len, err = 0;
f66dc81f 2002 u32 opt;
d58daf42
MH		 2003
2004 BT_DBG("sk %p", sk);
2005
2006 if (level == SOL_L2CAP)
2007 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
2008
0588d94f
MH		 2009 if (level != SOL_BLUETOOTH)
2010 return -ENOPROTOOPT;
2011
d58daf42
MH		 2012 lock_sock(sk);
2013
2014 switch (optname) {
2af6b9d5 2015 case BT_SECURITY:
bd3c9e25
GP		 2016 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2017 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2018 err = -EINVAL;
2019 break;
2020 }
2021
2af6b9d5
MH		 2022 sec.level = BT_SECURITY_LOW;
2023
2024 len = min_t(unsigned int, sizeof(sec), optlen);
2025 if (copy_from_user((char *) &sec, optval, len)) {
2026 err = -EFAULT;
2027 break;
2028 }
2029
2030 if (sec.level < BT_SECURITY_LOW ||
2031 sec.level > BT_SECURITY_HIGH) {
2032 err = -EINVAL;
2033 break;
2034 }
2035
2036 l2cap_pi(sk)->sec_level = sec.level;
2037 break;
2038
f66dc81f
MH		 2039 case BT_DEFER_SETUP:
2040 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2041 err = -EINVAL;
2042 break;
2043 }
2044
2045 if (get_user(opt, (u32 __user *) optval)) {
2046 err = -EFAULT;
2047 break;
2048 }
2049
2050 bt_sk(sk)->defer_setup = opt;
2051 break;
2052
d58daf42
MH		 2053 default:
2054 err = -ENOPROTOOPT;
2055 break;
2056 }
2057
2058 release_sock(sk);
2059 return err;
2060}
2061
2062static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
1da177e4
LT		 2063{
2064 struct sock *sk = sock->sk;
2065 struct l2cap_options opts;
2066 struct l2cap_conninfo cinfo;
2067 int len, err = 0;
2af6b9d5 2068 u32 opt;
1da177e4
LT		 2069
2070 BT_DBG("sk %p", sk);
2071
2072 if (get_user(len, optlen))
2073 return -EFAULT;
2074
2075 lock_sock(sk);
2076
2077 switch (optname) {
2078 case L2CAP_OPTIONS:
2079 opts.imtu = l2cap_pi(sk)->imtu;
2080 opts.omtu = l2cap_pi(sk)->omtu;
2081 opts.flush_to = l2cap_pi(sk)->flush_to;
c6b03cf9 2082 opts.mode = l2cap_pi(sk)->mode;
fcc203c3 2083 opts.fcs = l2cap_pi(sk)->fcs;
68d7f0ce 2084 opts.max_tx = l2cap_pi(sk)->max_tx;
14b5aa71 2085 opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
1da177e4
LT		 2086
2087 len = min_t(unsigned int, len, sizeof(opts));
2088 if (copy_to_user(optval, (char *) &opts, len))
2089 err = -EFAULT;
2090
2091 break;
2092
2093 case L2CAP_LM:
2af6b9d5
MH		 2094 switch (l2cap_pi(sk)->sec_level) {
2095 case BT_SECURITY_LOW:
2096 opt = L2CAP_LM_AUTH;
2097 break;
2098 case BT_SECURITY_MEDIUM:
2099 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
2100 break;
2101 case BT_SECURITY_HIGH:
2102 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
2103 L2CAP_LM_SECURE;
2104 break;
2105 default:
2106 opt = 0;
2107 break;
2108 }
2109
2110 if (l2cap_pi(sk)->role_switch)
2111 opt |= L2CAP_LM_MASTER;
2112
2113 if (l2cap_pi(sk)->force_reliable)
2114 opt |= L2CAP_LM_RELIABLE;
2115
2116 if (put_user(opt, (u32 __user *) optval))
1da177e4
LT		 2117 err = -EFAULT;
2118 break;
2119
2120 case L2CAP_CONNINFO:
f66dc81f
MH		 2121 if (sk->sk_state != BT_CONNECTED &&
2122 !(sk->sk_state == BT_CONNECT2 &&
2123 bt_sk(sk)->defer_setup)) {
1da177e4
LT		 2124 err = -ENOTCONN;
2125 break;
2126 }
2127
2128 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
2129 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
2130
2131 len = min_t(unsigned int, len, sizeof(cinfo));
2132 if (copy_to_user(optval, (char *) &cinfo, len))
2133 err = -EFAULT;
2134
2135 break;
2136
2137 default:
2138 err = -ENOPROTOOPT;
2139 break;
2140 }
2141
2142 release_sock(sk);
2143 return err;
2144}
2145
d58daf42
MH		 2146static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
2147{
2148 struct sock *sk = sock->sk;
2af6b9d5 2149 struct bt_security sec;
d58daf42
MH		 2150 int len, err = 0;
2151
2152 BT_DBG("sk %p", sk);
2153
2154 if (level == SOL_L2CAP)
2155 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
2156
0588d94f
MH		 2157 if (level != SOL_BLUETOOTH)
2158 return -ENOPROTOOPT;
2159
d58daf42
MH		 2160 if (get_user(len, optlen))
2161 return -EFAULT;
2162
2163 lock_sock(sk);
2164
2165 switch (optname) {
2af6b9d5 2166 case BT_SECURITY:
bd3c9e25
GP		 2167 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
2168 && sk->sk_type != SOCK_RAW) {
0588d94f
MH		 2169 err = -EINVAL;
2170 break;
2171 }
2172
2af6b9d5
MH		 2173 sec.level = l2cap_pi(sk)->sec_level;
2174
2175 len = min_t(unsigned int, len, sizeof(sec));
2176 if (copy_to_user(optval, (char *) &sec, len))
2177 err = -EFAULT;
2178
2179 break;
2180
f66dc81f
MH		 2181 case BT_DEFER_SETUP:
2182 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
2183 err = -EINVAL;
2184 break;
2185 }
2186
2187 if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
2188 err = -EFAULT;
2189
2190 break;
2191
d58daf42
MH		 2192 default:
2193 err = -ENOPROTOOPT;
2194 break;
2195 }
2196
2197 release_sock(sk);
2198 return err;
2199}
2200
1da177e4
LT		 2201static int l2cap_sock_shutdown(struct socket *sock, int how)
2202{
2203 struct sock *sk = sock->sk;
2204 int err = 0;
2205
2206 BT_DBG("sock %p, sk %p", sock, sk);
2207
2208 if (!sk)
2209 return 0;
2210
2211 lock_sock(sk);
2212 if (!sk->sk_shutdown) {
6161c038
GP		 2213 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
2214 err = __l2cap_wait_ack(sk);
2215
1da177e4
LT		 2216 sk->sk_shutdown = SHUTDOWN_MASK;
2217 l2cap_sock_clear_timer(sk);
2218 __l2cap_sock_close(sk, 0);
2219
2220 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
b1235d79
MH		 2221 err = bt_sock_wait_state(sk, BT_CLOSED,
2222 sk->sk_lingertime);
1da177e4 2223 }
9b108fc0
GP		 2224
2225 if (!err && sk->sk_err)
2226 err = -sk->sk_err;
2227
1da177e4
LT		 2228 release_sock(sk);
2229 return err;
2230}
2231
2232static int l2cap_sock_release(struct socket *sock)
2233{
2234 struct sock *sk = sock->sk;
2235 int err;
2236
2237 BT_DBG("sock %p, sk %p", sock, sk);
2238
2239 if (!sk)
2240 return 0;
2241
2242 err = l2cap_sock_shutdown(sock, 2);
2243
2244 sock_orphan(sk);
2245 l2cap_sock_kill(sk);
2246 return err;
2247}
2248
1da177e4
LT		 2249static void l2cap_chan_ready(struct sock *sk)
2250{
2251 struct sock *parent = bt_sk(sk)->parent;
2252
2253 BT_DBG("sk %p, parent %p", sk, parent);
2254
2255 l2cap_pi(sk)->conf_state = 0;
2256 l2cap_sock_clear_timer(sk);
2257
2258 if (!parent) {
2259 /* Outgoing channel.
2260 * Wake up socket sleeping on connect.
2261 */
2262 sk->sk_state = BT_CONNECTED;
2263 sk->sk_state_change(sk);
2264 } else {
2265 /* Incoming channel.
2266 * Wake up socket sleeping on accept.
2267 */
2268 parent->sk_data_ready(parent, 0);
2269 }
2270}
2271
2272/* Copy frame to all raw sockets on that connection */
2273static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
2274{
2275 struct l2cap_chan_list *l = &conn->chan_list;
2276 struct sk_buff *nskb;
af05b30b 2277 struct sock *sk;
1da177e4
LT		 2278
2279 BT_DBG("conn %p", conn);
2280
2281 read_lock(&l->lock);
2282 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
2283 if (sk->sk_type != SOCK_RAW)
2284 continue;
2285
2286 /* Don't send frame to the socket it came from */
2287 if (skb->sk == sk)
2288 continue;
af05b30b
GP		 2289 nskb = skb_clone(skb, GFP_ATOMIC);
2290 if (!nskb)
1da177e4
LT		 2291 continue;
2292
2293 if (sock_queue_rcv_skb(sk, nskb))
2294 kfree_skb(nskb);
2295 }
2296 read_unlock(&l->lock);
2297}
2298
2299/* ---- L2CAP signalling commands ---- */
2300static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
2301 u8 code, u8 ident, u16 dlen, void *data)
2302{
2303 struct sk_buff *skb, **frag;
2304 struct l2cap_cmd_hdr *cmd;
2305 struct l2cap_hdr *lh;
2306 int len, count;
2307
af05b30b
GP		 2308 BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
2309 conn, code, ident, dlen);
1da177e4
LT		 2310
2311 len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
2312 count = min_t(unsigned int, conn->mtu, len);
2313
2314 skb = bt_skb_alloc(count, GFP_ATOMIC);
2315 if (!skb)
2316 return NULL;
2317
2318 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
aca3192c 2319 lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
8db4dc46 2320 lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
1da177e4
LT		 2321
2322 cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
2323 cmd->code = code;
2324 cmd->ident = ident;
aca3192c 2325 cmd->len = cpu_to_le16(dlen);
1da177e4
LT		 2326
2327 if (dlen) {
2328 count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
2329 memcpy(skb_put(skb, count), data, count);
2330 data += count;
2331 }
2332
2333 len -= skb->len;
2334
2335 /* Continuation fragments (no L2CAP header) */
2336 frag = &skb_shinfo(skb)->frag_list;
2337 while (len) {
2338 count = min_t(unsigned int, conn->mtu, len);
2339
2340 *frag = bt_skb_alloc(count, GFP_ATOMIC);
2341 if (!*frag)
2342 goto fail;
2343
2344 memcpy(skb_put(*frag, count), data, count);
2345
2346 len -= count;
2347 data += count;
2348
2349 frag = &(*frag)->next;
2350 }
2351
2352 return skb;
2353
2354fail:
2355 kfree_skb(skb);
2356 return NULL;
2357}
2358
2359static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
2360{
2361 struct l2cap_conf_opt *opt = *ptr;
2362 int len;
2363
2364 len = L2CAP_CONF_OPT_SIZE + opt->len;
2365 *ptr += len;
2366
2367 *type = opt->type;
2368 *olen = opt->len;
2369
2370 switch (opt->len) {
2371 case 1:
2372 *val = *((u8 *) opt->val);
2373 break;
2374
2375 case 2:
861d6882 2376 *val = __le16_to_cpu(*((__le16 *) opt->val));
1da177e4
LT		 2377 break;
2378
2379 case 4:
861d6882 2380 *val = __le32_to_cpu(*((__le32 *) opt->val));
1da177e4
LT		 2381 break;
2382
2383 default:
2384 *val = (unsigned long) opt->val;
2385 break;
2386 }
2387
2388 BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
2389 return len;
2390}
2391
1da177e4
LT		 2392static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
2393{
2394 struct l2cap_conf_opt *opt = *ptr;
2395
2396 BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
2397
2398 opt->type = type;
2399 opt->len = len;
2400
2401 switch (len) {
2402 case 1:
2403 *((u8 *) opt->val) = val;
2404 break;
2405
2406 case 2:
8e036fc3 2407 *((__le16 *) opt->val) = cpu_to_le16(val);
1da177e4
LT		 2408 break;
2409
2410 case 4:
8e036fc3 2411 *((__le32 *) opt->val) = cpu_to_le32(val);
1da177e4
LT		 2412 break;
2413
2414 default:
2415 memcpy(opt->val, (void *) val, len);
2416 break;
2417 }
2418
2419 *ptr += L2CAP_CONF_OPT_SIZE + len;
2420}
2421
c1b4f43b
GP		 2422static void l2cap_ack_timeout(unsigned long arg)
2423{
2424 struct sock *sk = (void *) arg;
2425
2426 bh_lock_sock(sk);
2427 l2cap_send_ack(l2cap_pi(sk));
2428 bh_unlock_sock(sk);
2429}
2430
0565c1c2
GP		 2431static inline void l2cap_ertm_init(struct sock *sk)
2432{
2433 l2cap_pi(sk)->expected_ack_seq = 0;
2434 l2cap_pi(sk)->unacked_frames = 0;
2435 l2cap_pi(sk)->buffer_seq = 0;
803020c6 2436 l2cap_pi(sk)->num_acked = 0;
d5392c8f 2437 l2cap_pi(sk)->frames_sent = 0;
0565c1c2
GP		 2438
2439 setup_timer(&l2cap_pi(sk)->retrans_timer,
2440 l2cap_retrans_timeout, (unsigned long) sk);
2441 setup_timer(&l2cap_pi(sk)->monitor_timer,
2442 l2cap_monitor_timeout, (unsigned long) sk);
c1b4f43b
GP		 2443 setup_timer(&l2cap_pi(sk)->ack_timer,
2444 l2cap_ack_timeout, (unsigned long) sk);
0565c1c2
GP		 2445
2446 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b
GP		 2447 __skb_queue_head_init(BUSY_QUEUE(sk));
2448
2449 INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
0565c1c2
GP		 2450}
2451
f2fcfcd6
GP		 2452static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
2453{
2454 switch (mode) {
2455 case L2CAP_MODE_STREAMING:
2456 case L2CAP_MODE_ERTM:
2457 if (l2cap_mode_supported(mode, remote_feat_mask))
2458 return mode;
2459 /* fall through */
2460 default:
2461 return L2CAP_MODE_BASIC;
2462 }
2463}
2464
1da177e4
LT		 2465static int l2cap_build_conf_req(struct sock *sk, void *data)
2466{
2467 struct l2cap_pinfo *pi = l2cap_pi(sk);
2468 struct l2cap_conf_req *req = data;
bd3c9e25 2469 struct l2cap_conf_rfc rfc = { .mode = pi->mode };
1da177e4
LT		 2470 void *ptr = req->data;
2471
2472 BT_DBG("sk %p", sk);
2473
f2fcfcd6
GP		 2474 if (pi->num_conf_req || pi->num_conf_rsp)
2475 goto done;
2476
2477 switch (pi->mode) {
2478 case L2CAP_MODE_STREAMING:
2479 case L2CAP_MODE_ERTM:
2ba13ed6 2480 if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
85eb53c6 2481 break;
85eb53c6 2482
2ba13ed6 2483 /* fall through */
f2fcfcd6
GP		 2484 default:
2485 pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
2486 break;
2487 }
2488
2489done:
65c7c491
MH		 2490 switch (pi->mode) {
2491 case L2CAP_MODE_BASIC:
2492 if (pi->imtu != L2CAP_DEFAULT_MTU)
2493 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
62547752
GP		 2494
2495 rfc.mode = L2CAP_MODE_BASIC;
2496 rfc.txwin_size = 0;
2497 rfc.max_transmit = 0;
2498 rfc.retrans_timeout = 0;
2499 rfc.monitor_timeout = 0;
2500 rfc.max_pdu_size = 0;
2501
65c7c491
MH		 2502 break;
2503
2504 case L2CAP_MODE_ERTM:
2505 rfc.mode = L2CAP_MODE_ERTM;
14b5aa71 2506 rfc.txwin_size = pi->tx_win;
68d7f0ce 2507 rfc.max_transmit = pi->max_tx;
f2fcfcd6
GP		 2508 rfc.retrans_timeout = 0;
2509 rfc.monitor_timeout = 0;
c74e560c 2510 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2511 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2512 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
f2fcfcd6 2513
fcc203c3
GP		 2514 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2515 break;
2516
2517 if (pi->fcs == L2CAP_FCS_NONE ||
2518 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2519 pi->fcs = L2CAP_FCS_NONE;
2520 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2521 }
f2fcfcd6
GP		 2522 break;
2523
2524 case L2CAP_MODE_STREAMING:
2525 rfc.mode = L2CAP_MODE_STREAMING;
2526 rfc.txwin_size = 0;
2527 rfc.max_transmit = 0;
2528 rfc.retrans_timeout = 0;
2529 rfc.monitor_timeout = 0;
c74e560c 2530 rfc.max_pdu_size = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
d1daa091 2531 if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
1c762159 2532 rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
65c7c491 2533
fcc203c3
GP		 2534 if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
2535 break;
2536
2537 if (pi->fcs == L2CAP_FCS_NONE ||
2538 pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
2539 pi->fcs = L2CAP_FCS_NONE;
2540 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
2541 }
65c7c491
MH		 2542 break;
2543 }
1da177e4 2544
62547752
GP		 2545 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2546 (unsigned long) &rfc);
2547
1da177e4
LT		 2548 /* FIXME: Need actual value of the flush timeout */
2549 //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
2550 // l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
2551
aca3192c
YH		 2552 req->dcid = cpu_to_le16(pi->dcid);
2553 req->flags = cpu_to_le16(0);
1da177e4
LT		 2554
2555 return ptr - data;
2556}
2557
5dee9e7c 2558static int l2cap_parse_conf_req(struct sock *sk, void *data)
1da177e4
LT		 2559{
2560 struct l2cap_pinfo *pi = l2cap_pi(sk);
5dee9e7c
MH		 2561 struct l2cap_conf_rsp *rsp = data;
2562 void *ptr = rsp->data;
2563 void *req = pi->conf_req;
2564 int len = pi->conf_len;
2565 int type, hint, olen;
2566 unsigned long val;
6464f35f 2567 struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
861d6882 2568 u16 mtu = L2CAP_DEFAULT_MTU;
5dee9e7c 2569 u16 result = L2CAP_CONF_SUCCESS;
1da177e4 2570
5dee9e7c 2571 BT_DBG("sk %p", sk);
820ae1b8 2572
5dee9e7c
MH		 2573 while (len >= L2CAP_CONF_OPT_SIZE) {
2574 len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
1da177e4 2575
589d2746 2576 hint = type & L2CAP_CONF_HINT;
47ec1dcd 2577 type &= L2CAP_CONF_MASK;
5dee9e7c
MH		 2578
2579 switch (type) {
2580 case L2CAP_CONF_MTU:
861d6882 2581 mtu = val;
5dee9e7c
MH		 2582 break;
2583
2584 case L2CAP_CONF_FLUSH_TO:
2585 pi->flush_to = val;
2586 break;
2587
2588 case L2CAP_CONF_QOS:
2589 break;
2590
6464f35f
MH		 2591 case L2CAP_CONF_RFC:
2592 if (olen == sizeof(rfc))
2593 memcpy(&rfc, (void *) val, olen);
2594 break;
2595
fcc203c3
GP		 2596 case L2CAP_CONF_FCS:
2597 if (val == L2CAP_FCS_NONE)
2598 pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
2599
2600 break;
2601
5dee9e7c
MH		 2602 default:
2603 if (hint)
2604 break;
2605
2606 result = L2CAP_CONF_UNKNOWN;
2607 *((u8 *) ptr++) = type;
2608 break;
2609 }
2610 }
2611
f2fcfcd6
GP		 2612 if (pi->num_conf_rsp || pi->num_conf_req)
2613 goto done;
2614
2615 switch (pi->mode) {
2616 case L2CAP_MODE_STREAMING:
2617 case L2CAP_MODE_ERTM:
85eb53c6
GP		 2618 if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
2619 pi->mode = l2cap_select_mode(rfc.mode,
2620 pi->conn->feat_mask);
2621 break;
2622 }
2623
742e519b 2624 if (pi->mode != rfc.mode)
f2fcfcd6 2625 return -ECONNREFUSED;
742e519b 2626
f2fcfcd6 2627 break;
f2fcfcd6
GP		 2628 }
2629
2630done:
2631 if (pi->mode != rfc.mode) {
2632 result = L2CAP_CONF_UNACCEPT;
2633 rfc.mode = pi->mode;
2634
2635 if (pi->num_conf_rsp == 1)
2636 return -ECONNREFUSED;
2637
2638 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2639 sizeof(rfc), (unsigned long) &rfc);
2640 }
2641
2642
5dee9e7c
MH		 2643 if (result == L2CAP_CONF_SUCCESS) {
2644 /* Configure output options and let the other side know
2645 * which ones we don't like. */
2646
f2fcfcd6
GP		 2647 if (mtu < L2CAP_DEFAULT_MIN_MTU)
2648 result = L2CAP_CONF_UNACCEPT;
2649 else {
2650 pi->omtu = mtu;
2651 pi->conf_state |= L2CAP_CONF_MTU_DONE;
2652 }
2653 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
6464f35f 2654
f2fcfcd6
GP		 2655 switch (rfc.mode) {
2656 case L2CAP_MODE_BASIC:
2657 pi->fcs = L2CAP_FCS_NONE;
2658 pi->conf_state |= L2CAP_CONF_MODE_DONE;
2659 break;
2660
2661 case L2CAP_MODE_ERTM:
2662 pi->remote_tx_win = rfc.txwin_size;
2663 pi->remote_max_tx = rfc.max_transmit;
1c762159
GP		 2664 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2665 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2666
2667 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6 2668
10467e9e
GP		 2669 rfc.retrans_timeout =
2670 le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
2671 rfc.monitor_timeout =
2672 le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
f2fcfcd6
GP		 2673
2674 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2675
2676 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2677 sizeof(rfc), (unsigned long) &rfc);
2678
f2fcfcd6
GP		 2679 break;
2680
2681 case L2CAP_MODE_STREAMING:
1c762159
GP		 2682 if (rfc.max_pdu_size > pi->conn->mtu - 10)
2683 rfc.max_pdu_size = le16_to_cpu(pi->conn->mtu - 10);
2684
2685 pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2686
2687 pi->conf_state |= L2CAP_CONF_MODE_DONE;
68ae6639
GP		 2688
2689 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2690 sizeof(rfc), (unsigned long) &rfc);
2691
f2fcfcd6
GP		 2692 break;
2693
2694 default:
5dee9e7c 2695 result = L2CAP_CONF_UNACCEPT;
5dee9e7c 2696
6464f35f 2697 memset(&rfc, 0, sizeof(rfc));
f2fcfcd6
GP		 2698 rfc.mode = pi->mode;
2699 }
6464f35f 2700
f2fcfcd6
GP		 2701 if (result == L2CAP_CONF_SUCCESS)
2702 pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
2703 }
5dee9e7c
MH		 2704 rsp->scid = cpu_to_le16(pi->dcid);
2705 rsp->result = cpu_to_le16(result);
2706 rsp->flags = cpu_to_le16(0x0000);
2707
2708 return ptr - data;
1da177e4
LT		 2709}
2710
f2fcfcd6
GP		 2711static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
2712{
2713 struct l2cap_pinfo *pi = l2cap_pi(sk);
2714 struct l2cap_conf_req *req = data;
2715 void *ptr = req->data;
2716 int type, olen;
2717 unsigned long val;
2718 struct l2cap_conf_rfc rfc;
2719
2720 BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
2721
2722 while (len >= L2CAP_CONF_OPT_SIZE) {
2723 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2724
2725 switch (type) {
2726 case L2CAP_CONF_MTU:
2727 if (val < L2CAP_DEFAULT_MIN_MTU) {
2728 *result = L2CAP_CONF_UNACCEPT;
2729 pi->omtu = L2CAP_DEFAULT_MIN_MTU;
2730 } else
2731 pi->omtu = val;
2732 l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
2733 break;
2734
2735 case L2CAP_CONF_FLUSH_TO:
2736 pi->flush_to = val;
2737 l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2738 2, pi->flush_to);
2739 break;
2740
2741 case L2CAP_CONF_RFC:
2742 if (olen == sizeof(rfc))
2743 memcpy(&rfc, (void *)val, olen);
2744
2745 if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
2746 rfc.mode != pi->mode)
2747 return -ECONNREFUSED;
2748
f2fcfcd6
GP		 2749 pi->fcs = 0;
2750
2751 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2752 sizeof(rfc), (unsigned long) &rfc);
2753 break;
2754 }
2755 }
2756
6c2ea7a8
GP		 2757 if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
2758 return -ECONNREFUSED;
2759
2760 pi->mode = rfc.mode;
2761
f2fcfcd6
GP		 2762 if (*result == L2CAP_CONF_SUCCESS) {
2763 switch (rfc.mode) {
2764 case L2CAP_MODE_ERTM:
2765 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2766 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2767 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
1c762159 2768 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2769 break;
2770 case L2CAP_MODE_STREAMING:
1c762159 2771 pi->mps = le16_to_cpu(rfc.max_pdu_size);
f2fcfcd6
GP		 2772 }
2773 }
2774
2775 req->dcid = cpu_to_le16(pi->dcid);
2776 req->flags = cpu_to_le16(0x0000);
2777
2778 return ptr - data;
2779}
2780
5dee9e7c 2781static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
1da177e4
LT		 2782{
2783 struct l2cap_conf_rsp *rsp = data;
2784 void *ptr = rsp->data;
1da177e4 2785
5dee9e7c 2786 BT_DBG("sk %p", sk);
1da177e4 2787
aca3192c 2788 rsp->scid = cpu_to_le16(l2cap_pi(sk)->dcid);
5dee9e7c 2789 rsp->result = cpu_to_le16(result);
aca3192c 2790 rsp->flags = cpu_to_le16(flags);
1da177e4
LT		 2791
2792 return ptr - data;
2793}
2794
7b1c0049
GP		 2795static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
2796{
2797 struct l2cap_pinfo *pi = l2cap_pi(sk);
2798 int type, olen;
2799 unsigned long val;
2800 struct l2cap_conf_rfc rfc;
2801
2802 BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
2803
2804 if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
2805 return;
2806
2807 while (len >= L2CAP_CONF_OPT_SIZE) {
2808 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2809
2810 switch (type) {
2811 case L2CAP_CONF_RFC:
2812 if (olen == sizeof(rfc))
2813 memcpy(&rfc, (void *)val, olen);
2814 goto done;
2815 }
2816 }
2817
2818done:
2819 switch (rfc.mode) {
2820 case L2CAP_MODE_ERTM:
2821 pi->remote_tx_win = rfc.txwin_size;
10467e9e
GP		 2822 pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
2823 pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
7b1c0049
GP		 2824 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2825 break;
2826 case L2CAP_MODE_STREAMING:
2827 pi->mps = le16_to_cpu(rfc.max_pdu_size);
2828 }
2829}
2830
4e8402a3
MH		 2831static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2832{
2833 struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
2834
2835 if (rej->reason != 0x0000)
2836 return 0;
2837
2838 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2839 cmd->ident == conn->info_ident) {
4e8402a3 2840 del_timer(&conn->info_timer);
984947dc
MH		 2841
2842 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 2843 conn->info_ident = 0;
984947dc 2844
4e8402a3
MH		 2845 l2cap_conn_start(conn);
2846 }
2847
2848 return 0;
2849}
2850
1da177e4
LT		 2851static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2852{
2853 struct l2cap_chan_list *list = &conn->chan_list;
2854 struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
2855 struct l2cap_conn_rsp rsp;
2856 struct sock *sk, *parent;
e7c29cb1 2857 int result, status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2858
2859 u16 dcid = 0, scid = __le16_to_cpu(req->scid);
e7c29cb1 2860 __le16 psm = req->psm;
1da177e4
LT		 2861
2862 BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
2863
2864 /* Check if we have socket listening on psm */
2865 parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
2866 if (!parent) {
2867 result = L2CAP_CR_BAD_PSM;
2868 goto sendresp;
2869 }
2870
e7c29cb1
MH		 2871 /* Check if the ACL is secure enough (if not SDP) */
2872 if (psm != cpu_to_le16(0x0001) &&
2873 !hci_conn_check_link_mode(conn->hcon)) {
2950f21a 2874 conn->disc_reason = 0x05;
e7c29cb1
MH		 2875 result = L2CAP_CR_SEC_BLOCK;
2876 goto response;
2877 }
2878
1da177e4
LT		 2879 result = L2CAP_CR_NO_MEM;
2880
2881 /* Check for backlog size */
2882 if (sk_acceptq_is_full(parent)) {
8e87d142 2883 BT_DBG("backlog full %d", parent->sk_ack_backlog);
1da177e4
LT		 2884 goto response;
2885 }
2886
3b1e0a65 2887 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
1da177e4
LT		 2888 if (!sk)
2889 goto response;
2890
fd1278d7 2891 write_lock_bh(&list->lock);
1da177e4
LT		 2892
2893 /* Check if we already have channel with that dcid */
2894 if (__l2cap_get_chan_by_dcid(list, scid)) {
fd1278d7 2895 write_unlock_bh(&list->lock);
1da177e4
LT		 2896 sock_set_flag(sk, SOCK_ZAPPED);
2897 l2cap_sock_kill(sk);
2898 goto response;
2899 }
2900
2901 hci_conn_hold(conn->hcon);
2902
2903 l2cap_sock_init(sk, parent);
2904 bacpy(&bt_sk(sk)->src, conn->src);
2905 bacpy(&bt_sk(sk)->dst, conn->dst);
2906 l2cap_pi(sk)->psm = psm;
2907 l2cap_pi(sk)->dcid = scid;
2908
2909 __l2cap_chan_add(conn, sk, parent);
2910 dcid = l2cap_pi(sk)->scid;
2911
2912 l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
2913
1da177e4
LT		 2914 l2cap_pi(sk)->ident = cmd->ident;
2915
984947dc 2916 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
2af6b9d5 2917 if (l2cap_check_security(sk)) {
f66dc81f
MH		 2918 if (bt_sk(sk)->defer_setup) {
2919 sk->sk_state = BT_CONNECT2;
2920 result = L2CAP_CR_PEND;
2921 status = L2CAP_CS_AUTHOR_PEND;
2922 parent->sk_data_ready(parent, 0);
2923 } else {
2924 sk->sk_state = BT_CONFIG;
2925 result = L2CAP_CR_SUCCESS;
2926 status = L2CAP_CS_NO_INFO;
2927 }
79d554a6
MH		 2928 } else {
2929 sk->sk_state = BT_CONNECT2;
2930 result = L2CAP_CR_PEND;
2931 status = L2CAP_CS_AUTHEN_PEND;
2932 }
2933 } else {
2934 sk->sk_state = BT_CONNECT2;
2935 result = L2CAP_CR_PEND;
2936 status = L2CAP_CS_NO_INFO;
1da177e4
LT		 2937 }
2938
fd1278d7 2939 write_unlock_bh(&list->lock);
1da177e4
LT		 2940
2941response:
2942 bh_unlock_sock(parent);
2943
2944sendresp:
aca3192c
YH		 2945 rsp.scid = cpu_to_le16(scid);
2946 rsp.dcid = cpu_to_le16(dcid);
2947 rsp.result = cpu_to_le16(result);
2948 rsp.status = cpu_to_le16(status);
1da177e4 2949 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
79d554a6
MH		 2950
2951 if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
2952 struct l2cap_info_req info;
2953 info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
2954
2955 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2956 conn->info_ident = l2cap_get_ident(conn);
2957
2958 mod_timer(&conn->info_timer, jiffies +
2959 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2960
2961 l2cap_send_cmd(conn, conn->info_ident,
2962 L2CAP_INFO_REQ, sizeof(info), &info);
2963 }
2964
1da177e4
LT		 2965 return 0;
2966}
2967
2968static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
2969{
2970 struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
2971 u16 scid, dcid, result, status;
2972 struct sock *sk;
2973 u8 req[128];
2974
2975 scid = __le16_to_cpu(rsp->scid);
2976 dcid = __le16_to_cpu(rsp->dcid);
2977 result = __le16_to_cpu(rsp->result);
2978 status = __le16_to_cpu(rsp->status);
2979
2980 BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
2981
2982 if (scid) {
af05b30b
GP		 2983 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
2984 if (!sk)
1da177e4
LT		 2985 return 0;
2986 } else {
af05b30b
GP		 2987 sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
2988 if (!sk)
1da177e4
LT		 2989 return 0;
2990 }
2991
2992 switch (result) {
2993 case L2CAP_CR_SUCCESS:
2994 sk->sk_state = BT_CONFIG;
2995 l2cap_pi(sk)->ident = 0;
2996 l2cap_pi(sk)->dcid = dcid;
2997 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
6a8d3010
MH		 2998 l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
2999
1da177e4
LT		 3000 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
3001 l2cap_build_conf_req(sk, req), req);
f2fcfcd6 3002 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3003 break;
3004
3005 case L2CAP_CR_PEND:
6a8d3010 3006 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4
LT		 3007 break;
3008
3009 default:
3010 l2cap_chan_del(sk, ECONNREFUSED);
3011 break;
3012 }
3013
3014 bh_unlock_sock(sk);
3015 return 0;
3016}
3017
88219a0f 3018static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
1da177e4
LT		 3019{
3020 struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
3021 u16 dcid, flags;
3022 u8 rsp[64];
3023 struct sock *sk;
5dee9e7c 3024 int len;
1da177e4
LT		 3025
3026 dcid = __le16_to_cpu(req->dcid);
3027 flags = __le16_to_cpu(req->flags);
3028
3029 BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
3030
af05b30b
GP		 3031 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3032 if (!sk)
1da177e4
LT		 3033 return -ENOENT;
3034
8cb8e6f1
GP		 3035 if (sk->sk_state != BT_CONFIG) {
3036 struct l2cap_cmd_rej rej;
3037
3038 rej.reason = cpu_to_le16(0x0002);
3039 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
3040 sizeof(rej), &rej);
354f60a9 3041 goto unlock;
8cb8e6f1 3042 }
354f60a9 3043
5dee9e7c 3044 /* Reject if config buffer is too small. */
88219a0f 3045 len = cmd_len - sizeof(*req);
5dee9e7c
MH		 3046 if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
3047 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
3048 l2cap_build_conf_rsp(sk, rsp,
3049 L2CAP_CONF_REJECT, flags), rsp);
3050 goto unlock;
3051 }
3052
3053 /* Store config. */
3054 memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
3055 l2cap_pi(sk)->conf_len += len;
1da177e4
LT		 3056
3057 if (flags & 0x0001) {
3058 /* Incomplete config. Send empty response. */
3059 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
5dee9e7c
MH		 3060 l2cap_build_conf_rsp(sk, rsp,
3061 L2CAP_CONF_SUCCESS, 0x0001), rsp);
1da177e4
LT		 3062 goto unlock;
3063 }
3064
3065 /* Complete config. */
5dee9e7c 3066 len = l2cap_parse_conf_req(sk, rsp);
f2fcfcd6 3067 if (len < 0) {
9b108fc0 3068 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4 3069 goto unlock;
f2fcfcd6 3070 }
1da177e4 3071
5dee9e7c 3072 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
f2fcfcd6 3073 l2cap_pi(sk)->num_conf_rsp++;
5dee9e7c 3074
5dee9e7c
MH		 3075 /* Reset config buffer. */
3076 l2cap_pi(sk)->conf_len = 0;
3077
876d9484
MH		 3078 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
3079 goto unlock;
3080
1da177e4 3081 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
f64f9e71
JP		 3082 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3083 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3084 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3085
1da177e4 3086 sk->sk_state = BT_CONNECTED;
e90bac06 3087
0565c1c2
GP		 3088 l2cap_pi(sk)->next_tx_seq = 0;
3089 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3090 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3091 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3092 l2cap_ertm_init(sk);
3093
1da177e4 3094 l2cap_chan_ready(sk);
876d9484
MH		 3095 goto unlock;
3096 }
3097
3098 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
79d554a6 3099 u8 buf[64];
1da177e4 3100 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
79d554a6 3101 l2cap_build_conf_req(sk, buf), buf);
f2fcfcd6 3102 l2cap_pi(sk)->num_conf_req++;
1da177e4
LT		 3103 }
3104
3105unlock:
3106 bh_unlock_sock(sk);
3107 return 0;
3108}
3109
3110static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3111{
3112 struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
3113 u16 scid, flags, result;
3114 struct sock *sk;
7b1c0049 3115 int len = cmd->len - sizeof(*rsp);
1da177e4
LT		 3116
3117 scid = __le16_to_cpu(rsp->scid);
3118 flags = __le16_to_cpu(rsp->flags);
3119 result = __le16_to_cpu(rsp->result);
3120
af05b30b
GP		 3121 BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
3122 scid, flags, result);
1da177e4 3123
af05b30b
GP		 3124 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3125 if (!sk)
1da177e4
LT		 3126 return 0;
3127
3128 switch (result) {
3129 case L2CAP_CONF_SUCCESS:
7b1c0049 3130 l2cap_conf_rfc_get(sk, rsp->data, len);
1da177e4
LT		 3131 break;
3132
3133 case L2CAP_CONF_UNACCEPT:
f2fcfcd6 3134 if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
f2fcfcd6
GP		 3135 char req[64];
3136
c2c77ec8 3137 if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
9b108fc0 3138 l2cap_send_disconn_req(conn, sk, ECONNRESET);
c2c77ec8
AE		 3139 goto done;
3140 }
3141
f2fcfcd6
GP		 3142 /* throw out any old stored conf requests */
3143 result = L2CAP_CONF_SUCCESS;
3144 len = l2cap_parse_conf_rsp(sk, rsp->data,
3145 len, req, &result);
3146 if (len < 0) {
9b108fc0 3147 l2cap_send_disconn_req(conn, sk, ECONNRESET);
f2fcfcd6
GP		 3148 goto done;
3149 }
3150
3151 l2cap_send_cmd(conn, l2cap_get_ident(conn),
3152 L2CAP_CONF_REQ, len, req);
3153 l2cap_pi(sk)->num_conf_req++;
3154 if (result != L2CAP_CONF_SUCCESS)
3155 goto done;
3156 break;
1da177e4
LT		 3157 }
3158
8e87d142 3159 default:
b1235d79 3160 sk->sk_err = ECONNRESET;
1da177e4 3161 l2cap_sock_set_timer(sk, HZ * 5);
9b108fc0 3162 l2cap_send_disconn_req(conn, sk, ECONNRESET);
1da177e4
LT		 3163 goto done;
3164 }
3165
3166 if (flags & 0x01)
3167 goto done;
3168
1da177e4
LT		 3169 l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
3170
3171 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
f64f9e71
JP		 3172 if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_NO_FCS_RECV) ||
3173 l2cap_pi(sk)->fcs != L2CAP_FCS_NONE)
fcc203c3
GP		 3174 l2cap_pi(sk)->fcs = L2CAP_FCS_CRC16;
3175
1da177e4 3176 sk->sk_state = BT_CONNECTED;
0565c1c2 3177 l2cap_pi(sk)->next_tx_seq = 0;
1c2acffb 3178 l2cap_pi(sk)->expected_tx_seq = 0;
1c2acffb 3179 __skb_queue_head_init(TX_QUEUE(sk));
0565c1c2
GP		 3180 if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
3181 l2cap_ertm_init(sk);
3182
1da177e4
LT		 3183 l2cap_chan_ready(sk);
3184 }
3185
3186done:
3187 bh_unlock_sock(sk);
3188 return 0;
3189}
3190
3191static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3192{
3193 struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
3194 struct l2cap_disconn_rsp rsp;
3195 u16 dcid, scid;
3196 struct sock *sk;
3197
3198 scid = __le16_to_cpu(req->scid);
3199 dcid = __le16_to_cpu(req->dcid);
3200
3201 BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
3202
af05b30b
GP		 3203 sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
3204 if (!sk)
1da177e4
LT		 3205 return 0;
3206
aca3192c
YH		 3207 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
3208 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
1da177e4
LT		 3209 l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
3210
3211 sk->sk_shutdown = SHUTDOWN_MASK;
3212
3213 l2cap_chan_del(sk, ECONNRESET);
3214 bh_unlock_sock(sk);
3215
3216 l2cap_sock_kill(sk);
3217 return 0;
3218}
3219
3220static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3221{
3222 struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
3223 u16 dcid, scid;
3224 struct sock *sk;
3225
3226 scid = __le16_to_cpu(rsp->scid);
3227 dcid = __le16_to_cpu(rsp->dcid);
3228
3229 BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
3230
af05b30b
GP		 3231 sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
3232 if (!sk)
1da177e4
LT		 3233 return 0;
3234
3235 l2cap_chan_del(sk, 0);
3236 bh_unlock_sock(sk);
3237
3238 l2cap_sock_kill(sk);
3239 return 0;
3240}
3241
3242static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3243{
3244 struct l2cap_info_req *req = (struct l2cap_info_req *) data;
1da177e4
LT		 3245 u16 type;
3246
3247 type = __le16_to_cpu(req->type);
3248
3249 BT_DBG("type 0x%4.4x", type);
3250
f0709e03
MH		 3251 if (type == L2CAP_IT_FEAT_MASK) {
3252 u8 buf[8];
44dd46de 3253 u32 feat_mask = l2cap_feat_mask;
f0709e03
MH		 3254 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3255 rsp->type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
3256 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
44dd46de 3257 if (enable_ertm)
fcc203c3
GP		 3258 feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
3259 | L2CAP_FEAT_FCS;
1b7bf4ed 3260 put_unaligned_le32(feat_mask, rsp->data);
f0709e03
MH		 3261 l2cap_send_cmd(conn, cmd->ident,
3262 L2CAP_INFO_RSP, sizeof(buf), buf);
e1027a7c
MH		 3263 } else if (type == L2CAP_IT_FIXED_CHAN) {
3264 u8 buf[12];
3265 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
3266 rsp->type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3267 rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
3268 memcpy(buf + 4, l2cap_fixed_chan, 8);
3269 l2cap_send_cmd(conn, cmd->ident,
3270 L2CAP_INFO_RSP, sizeof(buf), buf);
f0709e03
MH		 3271 } else {
3272 struct l2cap_info_rsp rsp;
3273 rsp.type = cpu_to_le16(type);
3274 rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
3275 l2cap_send_cmd(conn, cmd->ident,
3276 L2CAP_INFO_RSP, sizeof(rsp), &rsp);
3277 }
1da177e4
LT		 3278
3279 return 0;
3280}
3281
3282static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
3283{
3284 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
3285 u16 type, result;
3286
3287 type = __le16_to_cpu(rsp->type);
3288 result = __le16_to_cpu(rsp->result);
3289
3290 BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
3291
4e8402a3
MH		 3292 del_timer(&conn->info_timer);
3293
984947dc 3294 if (type == L2CAP_IT_FEAT_MASK) {
83985319 3295 conn->feat_mask = get_unaligned_le32(rsp->data);
4e8402a3 3296
47ec1dcd 3297 if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
e1027a7c
MH		 3298 struct l2cap_info_req req;
3299 req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
3300
3301 conn->info_ident = l2cap_get_ident(conn);
3302
3303 l2cap_send_cmd(conn, conn->info_ident,
3304 L2CAP_INFO_REQ, sizeof(req), &req);
3305 } else {
3306 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
3307 conn->info_ident = 0;
3308
3309 l2cap_conn_start(conn);
3310 }
3311 } else if (type == L2CAP_IT_FIXED_CHAN) {
984947dc 3312 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
e1027a7c 3313 conn->info_ident = 0;
984947dc
MH		 3314
3315 l2cap_conn_start(conn);
3316 }
4e8402a3 3317
1da177e4
LT		 3318 return 0;
3319}
3320
3321static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
3322{
3323 u8 *data = skb->data;
3324 int len = skb->len;
3325 struct l2cap_cmd_hdr cmd;
3326 int err = 0;
3327
3328 l2cap_raw_recv(conn, skb);
3329
3330 while (len >= L2CAP_CMD_HDR_SIZE) {
88219a0f 3331 u16 cmd_len;
1da177e4
LT		 3332 memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
3333 data += L2CAP_CMD_HDR_SIZE;
3334 len -= L2CAP_CMD_HDR_SIZE;
3335
88219a0f 3336 cmd_len = le16_to_cpu(cmd.len);
1da177e4 3337
88219a0f 3338 BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
1da177e4 3339
88219a0f 3340 if (cmd_len > len || !cmd.ident) {
1da177e4
LT		 3341 BT_DBG("corrupted command");
3342 break;
3343 }
3344
3345 switch (cmd.code) {
3346 case L2CAP_COMMAND_REJ:
4e8402a3 3347 l2cap_command_rej(conn, &cmd, data);
1da177e4
LT		 3348 break;
3349
3350 case L2CAP_CONN_REQ:
3351 err = l2cap_connect_req(conn, &cmd, data);
3352 break;
3353
3354 case L2CAP_CONN_RSP:
3355 err = l2cap_connect_rsp(conn, &cmd, data);
3356 break;
3357
3358 case L2CAP_CONF_REQ:
88219a0f 3359 err = l2cap_config_req(conn, &cmd, cmd_len, data);
1da177e4
LT		 3360 break;
3361
3362 case L2CAP_CONF_RSP:
3363 err = l2cap_config_rsp(conn, &cmd, data);
3364 break;
3365
3366 case L2CAP_DISCONN_REQ:
3367 err = l2cap_disconnect_req(conn, &cmd, data);
3368 break;
3369
3370 case L2CAP_DISCONN_RSP:
3371 err = l2cap_disconnect_rsp(conn, &cmd, data);
3372 break;
3373
3374 case L2CAP_ECHO_REQ:
88219a0f 3375 l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
1da177e4
LT		 3376 break;
3377
3378 case L2CAP_ECHO_RSP:
3379 break;
3380
3381 case L2CAP_INFO_REQ:
3382 err = l2cap_information_req(conn, &cmd, data);
3383 break;
3384
3385 case L2CAP_INFO_RSP:
3386 err = l2cap_information_rsp(conn, &cmd, data);
3387 break;
3388
3389 default:
3390 BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
3391 err = -EINVAL;
3392 break;
3393 }
3394
3395 if (err) {
3396 struct l2cap_cmd_rej rej;
3397 BT_DBG("error %d", err);
3398
3399 /* FIXME: Map err to a valid reason */
aca3192c 3400 rej.reason = cpu_to_le16(0);
1da177e4
LT		 3401 l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
3402 }
3403
88219a0f
AV		 3404 data += cmd_len;
3405 len -= cmd_len;
1da177e4
LT		 3406 }
3407
3408 kfree_skb(skb);
3409}
3410
fcc203c3
GP		 3411static int l2cap_check_fcs(struct l2cap_pinfo *pi, struct sk_buff *skb)
3412{
3413 u16 our_fcs, rcv_fcs;
3414 int hdr_size = L2CAP_HDR_SIZE + 2;
3415
3416 if (pi->fcs == L2CAP_FCS_CRC16) {
3417 skb_trim(skb, skb->len - 2);
3418 rcv_fcs = get_unaligned_le16(skb->data + skb->len);
3419 our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
3420
3421 if (our_fcs != rcv_fcs)
3422 return -EINVAL;
3423 }
3424 return 0;
3425}
3426
d5392c8f
GP		 3427static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
3428{
3429 struct l2cap_pinfo *pi = l2cap_pi(sk);
3430 u16 control = 0;
3431
3432 pi->frames_sent = 0;
d5392c8f
GP		 3433
3434 control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3435
3436 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
64988868 3437 control |= L2CAP_SUPER_RCV_NOT_READY;
d5392c8f 3438 l2cap_send_sframe(pi, control);
1890d36b 3439 pi->conn_state |= L2CAP_CONN_RNR_SENT;
d5392c8f
GP		 3440 }
3441
4ea727ef
GP		 3442 if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
3443 l2cap_retransmit_frames(sk);
d5392c8f
GP		 3444
3445 l2cap_ertm_send(sk);
3446
3447 if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
3448 pi->frames_sent == 0) {
3449 control |= L2CAP_SUPER_RCV_READY;
d5392c8f
GP		 3450 l2cap_send_sframe(pi, control);
3451 }
3452}
3453
9b53350d 3454static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
8f17154f
GP		 3455{
3456 struct sk_buff *next_skb;
bfbacc11
JPRV		 3457 struct l2cap_pinfo *pi = l2cap_pi(sk);
3458 int tx_seq_offset, next_tx_seq_offset;
8f17154f
GP		 3459
3460 bt_cb(skb)->tx_seq = tx_seq;
3461 bt_cb(skb)->sar = sar;
3462
3463 next_skb = skb_peek(SREJ_QUEUE(sk));
3464 if (!next_skb) {
3465 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d 3466 return 0;
8f17154f
GP		 3467 }
3468
bfbacc11
JPRV		 3469 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3470 if (tx_seq_offset < 0)
3471 tx_seq_offset += 64;
3472
8f17154f 3473 do {
9b53350d
JPRV		 3474 if (bt_cb(next_skb)->tx_seq == tx_seq)
3475 return -EINVAL;
3476
bfbacc11
JPRV		 3477 next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
3478 pi->buffer_seq) % 64;
3479 if (next_tx_seq_offset < 0)
3480 next_tx_seq_offset += 64;
3481
3482 if (next_tx_seq_offset > tx_seq_offset) {
8f17154f 3483 __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
9b53350d 3484 return 0;
8f17154f
GP		 3485 }
3486
3487 if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
3488 break;
3489
59203a21 3490 } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
8f17154f
GP		 3491
3492 __skb_queue_tail(SREJ_QUEUE(sk), skb);
9b53350d
JPRV		 3493
3494 return 0;
8f17154f
GP		 3495}
3496
18778a63
GP		 3497static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
3498{
3499 struct l2cap_pinfo *pi = l2cap_pi(sk);
3500 struct sk_buff *_skb;
1890d36b 3501 int err;
18778a63
GP		 3502
3503 switch (control & L2CAP_CTRL_SAR) {
3504 case L2CAP_SDU_UNSEGMENTED:
3505 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3506 goto drop;
3507
3508 err = sock_queue_rcv_skb(sk, skb);
3509 if (!err)
3510 return err;
3511
3512 break;
3513
3514 case L2CAP_SDU_START:
3515 if (pi->conn_state & L2CAP_CONN_SAR_SDU)
3516 goto drop;
3517
3518 pi->sdu_len = get_unaligned_le16(skb->data);
18778a63
GP		 3519
3520 if (pi->sdu_len > pi->imtu)
3521 goto disconnect;
3522
3523 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
1890d36b
GP		 3524 if (!pi->sdu)
3525 return -ENOMEM;
3526
3527 /* pull sdu_len bytes only after alloc, because of Local Busy
3528 * condition we have to be sure that this will be executed
3529 * only once, i.e., when alloc does not fail */
3530 skb_pull(skb, 2);
18778a63
GP		 3531
3532 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3533
3534 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3535 pi->partial_sdu_len = skb->len;
3536 break;
3537
3538 case L2CAP_SDU_CONTINUE:
3539 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3540 goto disconnect;
3541
3542 if (!pi->sdu)
3543 goto disconnect;
3544
18778a63
GP		 3545 pi->partial_sdu_len += skb->len;
3546 if (pi->partial_sdu_len > pi->sdu_len)
3547 goto drop;
3548
4178ba46
GP		 3549 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3550
18778a63
GP		 3551 break;
3552
3553 case L2CAP_SDU_END:
3554 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3555 goto disconnect;
3556
3557 if (!pi->sdu)
3558 goto disconnect;
3559
1890d36b 3560 if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
1890d36b 3561 pi->partial_sdu_len += skb->len;
18778a63 3562
1890d36b
GP		 3563 if (pi->partial_sdu_len > pi->imtu)
3564 goto drop;
18778a63 3565
1890d36b
GP		 3566 if (pi->partial_sdu_len != pi->sdu_len)
3567 goto drop;
4178ba46
GP		 3568
3569 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
1890d36b 3570 }
18778a63
GP		 3571
3572 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
1890d36b
GP		 3573 if (!_skb) {
3574 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3575 return -ENOMEM;
3576 }
3577
18778a63 3578 err = sock_queue_rcv_skb(sk, _skb);
1890d36b 3579 if (err < 0) {
18778a63 3580 kfree_skb(_skb);
1890d36b
GP		 3581 pi->conn_state |= L2CAP_CONN_SAR_RETRY;
3582 return err;
3583 }
3584
3585 pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
3586 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
18778a63
GP		 3587
3588 kfree_skb(pi->sdu);
3589 break;
3590 }
3591
3592 kfree_skb(skb);
1890d36b 3593 return 0;
18778a63
GP		 3594
3595drop:
3596 kfree_skb(pi->sdu);
3597 pi->sdu = NULL;
3598
3599disconnect:
9b108fc0 3600 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
18778a63
GP		 3601 kfree_skb(skb);
3602 return 0;
3603}
3604
1890d36b
GP		 3605static void l2cap_busy_work(struct work_struct *work)
3606{
3607 DECLARE_WAITQUEUE(wait, current);
3608 struct l2cap_pinfo *pi =
3609 container_of(work, struct l2cap_pinfo, busy_work);
3610 struct sock *sk = (struct sock *)pi;
3611 int n_tries = 0, timeo = HZ/5, err;
3612 struct sk_buff *skb;
3613 u16 control;
3614
3615 lock_sock(sk);
3616
2b0b05dd 3617 add_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3618 while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
3619 set_current_state(TASK_INTERRUPTIBLE);
3620
3621 if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
3622 err = -EBUSY;
9b108fc0 3623 l2cap_send_disconn_req(pi->conn, sk, EBUSY);
1890d36b
GP		 3624 goto done;
3625 }
3626
3627 if (!timeo)
3628 timeo = HZ/5;
3629
3630 if (signal_pending(current)) {
3631 err = sock_intr_errno(timeo);
3632 goto done;
3633 }
3634
3635 release_sock(sk);
3636 timeo = schedule_timeout(timeo);
3637 lock_sock(sk);
3638
3639 err = sock_error(sk);
3640 if (err)
3641 goto done;
3642
3643 while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
3644 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
3645 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3646 if (err < 0) {
3647 skb_queue_head(BUSY_QUEUE(sk), skb);
3648 break;
3649 }
3650
3651 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3652 }
3653
3654 if (!skb)
3655 break;
3656 }
3657
3658 if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
3659 goto done;
3660
3661 control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3662 control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
3663 l2cap_send_sframe(pi, control);
3664 l2cap_pi(sk)->retry_count = 1;
3665
3666 del_timer(&pi->retrans_timer);
3667 __mod_monitor_timer();
3668
3669 l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
3670
3671done:
3672 pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
3673 pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
3674
0e98958d
GP		 3675 BT_DBG("sk %p, Exit local busy", sk);
3676
1890d36b 3677 set_current_state(TASK_RUNNING);
2b0b05dd 3678 remove_wait_queue(sk_sleep(sk), &wait);
1890d36b
GP		 3679
3680 release_sock(sk);
3681}
3682
3683static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
3684{
3685 struct l2cap_pinfo *pi = l2cap_pi(sk);
3686 int sctrl, err;
3687
3688 if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
3689 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3690 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3691 return -EBUSY;
3692 }
3693
3694 err = l2cap_ertm_reassembly_sdu(sk, skb, control);
3695 if (err >= 0) {
3696 pi->buffer_seq = (pi->buffer_seq + 1) % 64;
3697 return err;
3698 }
3699
3700 /* Busy Condition */
0e98958d
GP		 3701 BT_DBG("sk %p, Enter local busy", sk);
3702
1890d36b
GP		 3703 pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
3704 bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
3705 __skb_queue_tail(BUSY_QUEUE(sk), skb);
3706
3707 sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3708 sctrl |= L2CAP_SUPER_RCV_NOT_READY;
3709 l2cap_send_sframe(pi, sctrl);
3710
3711 pi->conn_state |= L2CAP_CONN_RNR_SENT;
3712
7fe9b298
GP		 3713 del_timer(&pi->ack_timer);
3714
1890d36b
GP		 3715 queue_work(_busy_wq, &pi->busy_work);
3716
3717 return err;
3718}
3719
18778a63 3720static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
c74e560c
GP		 3721{
3722 struct l2cap_pinfo *pi = l2cap_pi(sk);
3723 struct sk_buff *_skb;
3724 int err = -EINVAL;
3725
18778a63
GP		 3726 /*
3727 * TODO: We have to notify the userland if some data is lost with the
3728 * Streaming Mode.
3729 */
3730
c74e560c
GP		 3731 switch (control & L2CAP_CTRL_SAR) {
3732 case L2CAP_SDU_UNSEGMENTED:
3733 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3734 kfree_skb(pi->sdu);
3735 break;
3736 }
3737
3738 err = sock_queue_rcv_skb(sk, skb);
3739 if (!err)
3740 return 0;
3741
3742 break;
3743
3744 case L2CAP_SDU_START:
3745 if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
3746 kfree_skb(pi->sdu);
3747 break;
3748 }
3749
3750 pi->sdu_len = get_unaligned_le16(skb->data);
3751 skb_pull(skb, 2);
3752
052897ca
GP		 3753 if (pi->sdu_len > pi->imtu) {
3754 err = -EMSGSIZE;
3755 break;
3756 }
3757
c74e560c
GP		 3758 pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
3759 if (!pi->sdu) {
3760 err = -ENOMEM;
3761 break;
3762 }
3763
3764 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3765
3766 pi->conn_state |= L2CAP_CONN_SAR_SDU;
3767 pi->partial_sdu_len = skb->len;
3768 err = 0;
3769 break;
3770
3771 case L2CAP_SDU_CONTINUE:
3772 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3773 break;
3774
3775 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3776
3777 pi->partial_sdu_len += skb->len;
3778 if (pi->partial_sdu_len > pi->sdu_len)
3779 kfree_skb(pi->sdu);
3780 else
3781 err = 0;
3782
3783 break;
3784
3785 case L2CAP_SDU_END:
3786 if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
3787 break;
3788
3789 memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
3790
3791 pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
3792 pi->partial_sdu_len += skb->len;
3793
36f2fd58
GP		 3794 if (pi->partial_sdu_len > pi->imtu)
3795 goto drop;
3796
c74e560c
GP		 3797 if (pi->partial_sdu_len == pi->sdu_len) {
3798 _skb = skb_clone(pi->sdu, GFP_ATOMIC);
3799 err = sock_queue_rcv_skb(sk, _skb);
3800 if (err < 0)
3801 kfree_skb(_skb);
3802 }
c74e560c
GP		 3803 err = 0;
3804
36f2fd58
GP		 3805drop:
3806 kfree_skb(pi->sdu);
c74e560c
GP		 3807 break;
3808 }
3809
3810 kfree_skb(skb);
3811 return err;
3812}
3813
8f17154f
GP		 3814static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
3815{
3816 struct sk_buff *skb;
afefdbc4 3817 u16 control;
8f17154f 3818
59203a21 3819 while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
8f17154f
GP		 3820 if (bt_cb(skb)->tx_seq != tx_seq)
3821 break;
3822
3823 skb = skb_dequeue(SREJ_QUEUE(sk));
afefdbc4 3824 control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
18778a63 3825 l2cap_ertm_reassembly_sdu(sk, skb, control);
8f17154f
GP		 3826 l2cap_pi(sk)->buffer_seq_srej =
3827 (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
8ff50ec0 3828 tx_seq = (tx_seq + 1) % 64;
8f17154f
GP		 3829 }
3830}
3831
3832static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
3833{
3834 struct l2cap_pinfo *pi = l2cap_pi(sk);
3835 struct srej_list *l, *tmp;
3836 u16 control;
3837
59203a21 3838 list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
8f17154f
GP		 3839 if (l->tx_seq == tx_seq) {
3840 list_del(&l->list);
3841 kfree(l);
3842 return;
3843 }
3844 control = L2CAP_SUPER_SELECT_REJECT;
3845 control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3846 l2cap_send_sframe(pi, control);
3847 list_del(&l->list);
3848 list_add_tail(&l->list, SREJ_LIST(sk));
3849 }
3850}
3851
3852static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
3853{
3854 struct l2cap_pinfo *pi = l2cap_pi(sk);
3855 struct srej_list *new;
3856 u16 control;
3857
3858 while (tx_seq != pi->expected_tx_seq) {
3859 control = L2CAP_SUPER_SELECT_REJECT;
3860 control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
3861 l2cap_send_sframe(pi, control);
3862
3863 new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
8ff50ec0
GP		 3864 new->tx_seq = pi->expected_tx_seq;
3865 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3866 list_add_tail(&new->list, SREJ_LIST(sk));
3867 }
8ff50ec0 3868 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
8f17154f
GP		 3869}
3870
1c2acffb
GP		 3871static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
3872{
3873 struct l2cap_pinfo *pi = l2cap_pi(sk);
3874 u8 tx_seq = __get_txseq(rx_control);
9f121a5a 3875 u8 req_seq = __get_reqseq(rx_control);
8f17154f 3876 u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
f6337c77 3877 int tx_seq_offset, expected_tx_seq_offset;
803020c6 3878 int num_to_ack = (pi->tx_win/6) + 1;
1c2acffb
GP		 3879 int err = 0;
3880
0e98958d
GP		 3881 BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
3882 rx_control);
1c2acffb 3883
9b16dc65
GP		 3884 if (L2CAP_CTRL_FINAL & rx_control &&
3885 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
1d8f5d16
GP		 3886 del_timer(&pi->monitor_timer);
3887 if (pi->unacked_frames > 0)
3888 __mod_retrans_timer();
3889 pi->conn_state &= ~L2CAP_CONN_WAIT_F;
3890 }
3891
9f121a5a
GP		 3892 pi->expected_ack_seq = req_seq;
3893 l2cap_drop_acked_frames(sk);
3894
8f17154f
GP		 3895 if (tx_seq == pi->expected_tx_seq)
3896 goto expected;
1c2acffb 3897
9b53350d
JPRV		 3898 tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
3899 if (tx_seq_offset < 0)
3900 tx_seq_offset += 64;
3901
3902 /* invalid tx_seq */
3903 if (tx_seq_offset >= pi->tx_win) {
9b108fc0 3904 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
9b53350d
JPRV		 3905 goto drop;
3906 }
3907
1890d36b
GP		 3908 if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
3909 goto drop;
3910
8f17154f
GP		 3911 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3912 struct srej_list *first;
30afb5b2 3913
8f17154f
GP		 3914 first = list_first_entry(SREJ_LIST(sk),
3915 struct srej_list, list);
3916 if (tx_seq == first->tx_seq) {
3917 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3918 l2cap_check_srej_gap(sk, tx_seq);
3919
3920 list_del(&first->list);
3921 kfree(first);
3922
3923 if (list_empty(SREJ_LIST(sk))) {
3924 pi->buffer_seq = pi->buffer_seq_srej;
3925 pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
855666cc 3926 l2cap_send_ack(pi);
0e98958d 3927 BT_DBG("sk %p, Exit SREJ_SENT", sk);
8f17154f
GP		 3928 }
3929 } else {
3930 struct srej_list *l;
9b53350d
JPRV		 3931
3932 /* duplicated tx_seq */
3933 if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
3934 goto drop;
8f17154f
GP		 3935
3936 list_for_each_entry(l, SREJ_LIST(sk), list) {
3937 if (l->tx_seq == tx_seq) {
3938 l2cap_resend_srejframe(sk, tx_seq);
3939 return 0;
3940 }
3941 }
3942 l2cap_send_srejframe(sk, tx_seq);
30afb5b2
GP		 3943 }
3944 } else {
9b53350d
JPRV		 3945 expected_tx_seq_offset =
3946 (pi->expected_tx_seq - pi->buffer_seq) % 64;
3947 if (expected_tx_seq_offset < 0)
3948 expected_tx_seq_offset += 64;
3949
3950 /* duplicated tx_seq */
3951 if (tx_seq_offset < expected_tx_seq_offset)
3952 goto drop;
3953
8f17154f 3954 pi->conn_state |= L2CAP_CONN_SREJ_SENT;
1c2acffb 3955
0e98958d
GP		 3956 BT_DBG("sk %p, Enter SREJ", sk);
3957
8f17154f
GP		 3958 INIT_LIST_HEAD(SREJ_LIST(sk));
3959 pi->buffer_seq_srej = pi->buffer_seq;
3960
3961 __skb_queue_head_init(SREJ_QUEUE(sk));
1890d36b 3962 __skb_queue_head_init(BUSY_QUEUE(sk));
8f17154f
GP		 3963 l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
3964
ef54fd93
GP		 3965 pi->conn_state |= L2CAP_CONN_SEND_PBIT;
3966
8f17154f 3967 l2cap_send_srejframe(sk, tx_seq);
7fe9b298
GP		 3968
3969 del_timer(&pi->ack_timer);
1c2acffb 3970 }
30afb5b2
GP		 3971 return 0;
3972
8f17154f
GP		 3973expected:
3974 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
3975
3976 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
3b1a9f3f
GP		 3977 bt_cb(skb)->tx_seq = tx_seq;
3978 bt_cb(skb)->sar = sar;
3979 __skb_queue_tail(SREJ_QUEUE(sk), skb);
8f17154f
GP		 3980 return 0;
3981 }
3982
2ece3684
GP		 3983 err = l2cap_push_rx_skb(sk, skb, rx_control);
3984 if (err < 0)
3985 return 0;
3986
4ec10d97
GP		 3987 if (rx_control & L2CAP_CTRL_FINAL) {
3988 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
3989 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 3990 else
3991 l2cap_retransmit_frames(sk);
4ec10d97
GP		 3992 }
3993
c1b4f43b
GP		 3994 __mod_ack_timer();
3995
803020c6
GP		 3996 pi->num_acked = (pi->num_acked + 1) % num_to_ack;
3997 if (pi->num_acked == num_to_ack - 1)
9e917af1
GP		 3998 l2cap_send_ack(pi);
3999
8f17154f 4000 return 0;
9b53350d
JPRV		 4001
4002drop:
4003 kfree_skb(skb);
4004 return 0;
1c2acffb
GP		 4005}
4006
e072745f 4007static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
1c2acffb
GP		 4008{
4009 struct l2cap_pinfo *pi = l2cap_pi(sk);
6e3a5981 4010
0e98958d
GP		 4011 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
4012 rx_control);
4013
6e3a5981
GP		 4014 pi->expected_ack_seq = __get_reqseq(rx_control);
4015 l2cap_drop_acked_frames(sk);
1c2acffb 4016
e072745f 4017 if (rx_control & L2CAP_CTRL_POLL) {
3cb123d1 4018 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
05fbd89d
GP		 4019 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
4020 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4021 (pi->unacked_frames > 0))
4022 __mod_retrans_timer();
4023
4024 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4025 l2cap_send_srejtail(sk);
4026 } else {
4027 l2cap_send_i_or_rr_or_rnr(sk);
05fbd89d 4028 }
1d8f5d16 4029
e072745f
GP		 4030 } else if (rx_control & L2CAP_CTRL_FINAL) {
4031 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4ec10d97 4032
e072745f
GP		 4033 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4034 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4035 else
4036 l2cap_retransmit_frames(sk);
2246b2f1 4037
e072745f 4038 } else {
e072745f
GP		 4039 if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
4040 (pi->unacked_frames > 0))
4041 __mod_retrans_timer();
1c2acffb 4042
2246b2f1 4043 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
dfc909be 4044 if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
e072745f 4045 l2cap_send_ack(pi);
dfc909be 4046 } else {
e072745f 4047 l2cap_ertm_send(sk);
dfc909be 4048 }
e072745f
GP		 4049 }
4050}
2246b2f1 4051
e072745f
GP		 4052static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
4053{
4054 struct l2cap_pinfo *pi = l2cap_pi(sk);
4055 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4056
0e98958d
GP		 4057 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4058
e072745f
GP		 4059 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
4060
8abb52ee 4061 pi->expected_ack_seq = tx_seq;
e072745f
GP		 4062 l2cap_drop_acked_frames(sk);
4063
4064 if (rx_control & L2CAP_CTRL_FINAL) {
4065 if (pi->conn_state & L2CAP_CONN_REJ_ACT)
4066 pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
dfc909be
GP		 4067 else
4068 l2cap_retransmit_frames(sk);
e072745f 4069 } else {
dfc909be 4070 l2cap_retransmit_frames(sk);
30afb5b2 4071
0301ef04 4072 if (pi->conn_state & L2CAP_CONN_WAIT_F)
e072745f 4073 pi->conn_state |= L2CAP_CONN_REJ_ACT;
e072745f
GP		 4074 }
4075}
4076static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
4077{
4078 struct l2cap_pinfo *pi = l2cap_pi(sk);
4079 u8 tx_seq = __get_reqseq(rx_control);
30afb5b2 4080
0e98958d
GP		 4081 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4082
e072745f 4083 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
2246b2f1 4084
e072745f
GP		 4085 if (rx_control & L2CAP_CTRL_POLL) {
4086 pi->expected_ack_seq = tx_seq;
4087 l2cap_drop_acked_frames(sk);
3cb123d1
GP		 4088
4089 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
dfc909be
GP		 4090 l2cap_retransmit_one_frame(sk, tx_seq);
4091
e072745f 4092 l2cap_ertm_send(sk);
dfc909be 4093
e072745f
GP		 4094 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4095 pi->srej_save_reqseq = tx_seq;
4096 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4097 }
e072745f
GP		 4098 } else if (rx_control & L2CAP_CTRL_FINAL) {
4099 if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
4100 pi->srej_save_reqseq == tx_seq)
4101 pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
4102 else
dfc909be 4103 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f 4104 } else {
dfc909be 4105 l2cap_retransmit_one_frame(sk, tx_seq);
e072745f
GP		 4106 if (pi->conn_state & L2CAP_CONN_WAIT_F) {
4107 pi->srej_save_reqseq = tx_seq;
4108 pi->conn_state |= L2CAP_CONN_SREJ_ACT;
ef54fd93 4109 }
e072745f
GP		 4110 }
4111}
4112
4113static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
4114{
4115 struct l2cap_pinfo *pi = l2cap_pi(sk);
4116 u8 tx_seq = __get_reqseq(rx_control);
4117
0e98958d
GP		 4118 BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
4119
e072745f
GP		 4120 pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
4121 pi->expected_ack_seq = tx_seq;
4122 l2cap_drop_acked_frames(sk);
4123
3cb123d1
GP		 4124 if (rx_control & L2CAP_CTRL_POLL)
4125 pi->conn_state |= L2CAP_CONN_SEND_FBIT;
4126
99b0d4b7
GP		 4127 if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
4128 del_timer(&pi->retrans_timer);
a2e12a2a
GP		 4129 if (rx_control & L2CAP_CTRL_POLL)
4130 l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
99b0d4b7 4131 return;
e072745f 4132 }
99b0d4b7
GP		 4133
4134 if (rx_control & L2CAP_CTRL_POLL)
4135 l2cap_send_srejtail(sk);
4136 else
4137 l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
e072745f
GP		 4138}
4139
4140static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
4141{
4142 BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
4143
9b16dc65
GP		 4144 if (L2CAP_CTRL_FINAL & rx_control &&
4145 l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
e072745f
GP		 4146 del_timer(&l2cap_pi(sk)->monitor_timer);
4147 if (l2cap_pi(sk)->unacked_frames > 0)
4148 __mod_retrans_timer();
4149 l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
4150 }
4151
4152 switch (rx_control & L2CAP_CTRL_SUPERVISE) {
4153 case L2CAP_SUPER_RCV_READY:
4154 l2cap_data_channel_rrframe(sk, rx_control);
8f17154f
GP		 4155 break;
4156
e072745f
GP		 4157 case L2CAP_SUPER_REJECT:
4158 l2cap_data_channel_rejframe(sk, rx_control);
4159 break;
2246b2f1 4160
e072745f
GP		 4161 case L2CAP_SUPER_SELECT_REJECT:
4162 l2cap_data_channel_srejframe(sk, rx_control);
4163 break;
4164
4165 case L2CAP_SUPER_RCV_NOT_READY:
4166 l2cap_data_channel_rnrframe(sk, rx_control);
1c2acffb
GP		 4167 break;
4168 }
4169
faaebd19 4170 kfree_skb(skb);
1c2acffb
GP		 4171 return 0;
4172}
4173
1da177e4
LT		 4174static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
4175{
4176 struct sock *sk;
6840ed07 4177 struct l2cap_pinfo *pi;
51893f88 4178 u16 control;
f6337c77 4179 u8 tx_seq, req_seq;
51893f88 4180 int len, next_tx_seq_offset, req_seq_offset;
1da177e4
LT		 4181
4182 sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
4183 if (!sk) {
4184 BT_DBG("unknown cid 0x%4.4x", cid);
4185 goto drop;
4186 }
4187
6840ed07
GP		 4188 pi = l2cap_pi(sk);
4189
1da177e4
LT		 4190 BT_DBG("sk %p, len %d", sk, skb->len);
4191
4192 if (sk->sk_state != BT_CONNECTED)
4193 goto drop;
4194
6840ed07 4195 switch (pi->mode) {
1c2acffb
GP		 4196 case L2CAP_MODE_BASIC:
4197 /* If socket recv buffers overflows we drop data here
4198 * which is *bad* because L2CAP has to be reliable.
4199 * But we don't have any other choice. L2CAP doesn't
4200 * provide flow control mechanism. */
1da177e4 4201
6840ed07 4202 if (pi->imtu < skb->len)
1c2acffb 4203 goto drop;
1da177e4 4204
1c2acffb
GP		 4205 if (!sock_queue_rcv_skb(sk, skb))
4206 goto done;
4207 break;
4208
4209 case L2CAP_MODE_ERTM:
4210 control = get_unaligned_le16(skb->data);
4211 skb_pull(skb, 2);
c74e560c 4212 len = skb->len;
1c2acffb 4213
26000089
GP		 4214 /*
4215 * We can just drop the corrupted I-frame here.
4216 * Receiver will miss it and start proper recovery
4217 * procedures and ask retransmission.
4218 */
4219 if (l2cap_check_fcs(pi, skb))
4220 goto drop;
4221
bc1b1f8b 4222 if (__is_sar_start(control) && __is_iframe(control))
c74e560c
GP		 4223 len -= 2;
4224
fcc203c3
GP		 4225 if (pi->fcs == L2CAP_FCS_CRC16)
4226 len -= 2;
4227
18778a63 4228 if (len > pi->mps) {
9b108fc0 4229 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
1c2acffb 4230 goto drop;
18778a63 4231 }
1c2acffb 4232
01760bdd
JPRV		 4233 req_seq = __get_reqseq(control);
4234 req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
4235 if (req_seq_offset < 0)
4236 req_seq_offset += 64;
4237
4238 next_tx_seq_offset =
4239 (pi->next_tx_seq - pi->expected_ack_seq) % 64;
4240 if (next_tx_seq_offset < 0)
4241 next_tx_seq_offset += 64;
4242
4243 /* check for invalid req-seq */
4244 if (req_seq_offset > next_tx_seq_offset) {
9b108fc0 4245 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
01760bdd
JPRV		 4246 goto drop;
4247 }
4248
277ffbe3 4249 if (__is_iframe(control)) {
51893f88 4250 if (len < 0) {
9b108fc0 4251 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
277ffbe3 4252 goto drop;
18778a63 4253 }
277ffbe3 4254
fcafde2e 4255 l2cap_data_channel_iframe(sk, control, skb);
277ffbe3 4256 } else {
18778a63 4257 if (len != 0) {
9b108fc0 4258 l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
277ffbe3 4259 goto drop;
18778a63 4260 }
277ffbe3 4261
fcafde2e 4262 l2cap_data_channel_sframe(sk, control, skb);
277ffbe3 4263 }
1c2acffb 4264
fcafde2e 4265 goto done;
1c2acffb 4266
6840ed07
GP		 4267 case L2CAP_MODE_STREAMING:
4268 control = get_unaligned_le16(skb->data);
4269 skb_pull(skb, 2);
4270 len = skb->len;
4271
26000089
GP		 4272 if (l2cap_check_fcs(pi, skb))
4273 goto drop;
4274
6840ed07
GP		 4275 if (__is_sar_start(control))
4276 len -= 2;
4277
fcc203c3
GP		 4278 if (pi->fcs == L2CAP_FCS_CRC16)
4279 len -= 2;
4280
51893f88 4281 if (len > pi->mps || len < 0 || __is_sframe(control))
6840ed07
GP		 4282 goto drop;
4283
4284 tx_seq = __get_txseq(control);
4285
4286 if (pi->expected_tx_seq == tx_seq)
4287 pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
4288 else
7dffe421 4289 pi->expected_tx_seq = (tx_seq + 1) % 64;
6840ed07 4290
18778a63 4291 l2cap_streaming_reassembly_sdu(sk, skb, control);
6840ed07
GP		 4292
4293 goto done;
4294
1c2acffb 4295 default:
e8235c6b 4296 BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
1c2acffb
GP		 4297 break;
4298 }
1da177e4
LT		 4299
4300drop:
4301 kfree_skb(skb);
4302
4303done:
0139418c
MH		 4304 if (sk)
4305 bh_unlock_sock(sk);
4306
1da177e4
LT		 4307 return 0;
4308}
4309
8e036fc3 4310static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
1da177e4
LT		 4311{
4312 struct sock *sk;
4313
4314 sk = l2cap_get_sock_by_psm(0, psm, conn->src);
4315 if (!sk)
4316 goto drop;
4317
4318 BT_DBG("sk %p, len %d", sk, skb->len);
4319
4320 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
4321 goto drop;
4322
4323 if (l2cap_pi(sk)->imtu < skb->len)
4324 goto drop;
4325
4326 if (!sock_queue_rcv_skb(sk, skb))
4327 goto done;
4328
4329drop:
4330 kfree_skb(skb);
4331
4332done:
af05b30b
GP		 4333 if (sk)
4334 bh_unlock_sock(sk);
1da177e4
LT		 4335 return 0;
4336}
4337
4338static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4339{
4340 struct l2cap_hdr *lh = (void *) skb->data;
8e036fc3
AV		 4341 u16 cid, len;
4342 __le16 psm;
1da177e4
LT		 4343
4344 skb_pull(skb, L2CAP_HDR_SIZE);
4345 cid = __le16_to_cpu(lh->cid);
4346 len = __le16_to_cpu(lh->len);
4347
1c2acffb
GP		 4348 if (len != skb->len) {
4349 kfree_skb(skb);
4350 return;
4351 }
4352
1da177e4
LT		 4353 BT_DBG("len %d, cid 0x%4.4x", len, cid);
4354
4355 switch (cid) {
8db4dc46 4356 case L2CAP_CID_SIGNALING:
1da177e4
LT		 4357 l2cap_sig_channel(conn, skb);
4358 break;
4359
8db4dc46 4360 case L2CAP_CID_CONN_LESS:
1b7bf4ed 4361 psm = get_unaligned_le16(skb->data);
1da177e4
LT		 4362 skb_pull(skb, 2);
4363 l2cap_conless_channel(conn, psm, skb);
4364 break;
4365
4366 default:
4367 l2cap_data_channel(conn, cid, skb);
4368 break;
4369 }
4370}
4371
4372/* ---- L2CAP interface with lower layer (HCI) ---- */
4373
4374static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4375{
4376 int exact = 0, lm1 = 0, lm2 = 0;
4377 register struct sock *sk;
4378 struct hlist_node *node;
4379
4380 if (type != ACL_LINK)
4381 return 0;
4382
4383 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4384
4385 /* Find listening sockets and check their link_mode */
4386 read_lock(&l2cap_sk_list.lock);
4387 sk_for_each(sk, node, &l2cap_sk_list.head) {
4388 if (sk->sk_state != BT_LISTEN)
4389 continue;
4390
4391 if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
2af6b9d5
MH		 4392 lm1 |= HCI_LM_ACCEPT;
4393 if (l2cap_pi(sk)->role_switch)
4394 lm1 |= HCI_LM_MASTER;
1da177e4 4395 exact++;
2af6b9d5
MH		 4396 } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
4397 lm2 |= HCI_LM_ACCEPT;
4398 if (l2cap_pi(sk)->role_switch)
4399 lm2 |= HCI_LM_MASTER;
4400 }
1da177e4
LT		 4401 }
4402 read_unlock(&l2cap_sk_list.lock);
4403
4404 return exact ? lm1 : lm2;
4405}
4406
4407static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4408{
0139418c
MH		 4409 struct l2cap_conn *conn;
4410
1da177e4
LT		 4411 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4412
4413 if (hcon->type != ACL_LINK)
4414 return 0;
4415
4416 if (!status) {
1da177e4
LT		 4417 conn = l2cap_conn_add(hcon, status);
4418 if (conn)
4419 l2cap_conn_ready(conn);
0139418c 4420 } else
1da177e4
LT		 4421 l2cap_conn_del(hcon, bt_err(status));
4422
4423 return 0;
4424}
4425
2950f21a
MH		 4426static int l2cap_disconn_ind(struct hci_conn *hcon)
4427{
4428 struct l2cap_conn *conn = hcon->l2cap_data;
4429
4430 BT_DBG("hcon %p", hcon);
4431
4432 if (hcon->type != ACL_LINK || !conn)
4433 return 0x13;
4434
4435 return conn->disc_reason;
4436}
4437
4438static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
1da177e4
LT		 4439{
4440 BT_DBG("hcon %p reason %d", hcon, reason);
4441
4442 if (hcon->type != ACL_LINK)
4443 return 0;
4444
4445 l2cap_conn_del(hcon, bt_err(reason));
0139418c 4446
1da177e4
LT		 4447 return 0;
4448}
4449
f62e4323
MH		 4450static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
4451{
bd3c9e25 4452 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
255c7601
MH		 4453 return;
4454
f62e4323
MH		 4455 if (encrypt == 0x00) {
4456 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
4457 l2cap_sock_clear_timer(sk);
4458 l2cap_sock_set_timer(sk, HZ * 5);
4459 } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
4460 __l2cap_sock_close(sk, ECONNREFUSED);
4461 } else {
4462 if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
4463 l2cap_sock_clear_timer(sk);
4464 }
4465}
4466
8c1b2355 4467static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
1da177e4
LT		 4468{
4469 struct l2cap_chan_list *l;
0139418c 4470 struct l2cap_conn *conn = hcon->l2cap_data;
1da177e4 4471 struct sock *sk;
1da177e4 4472
0139418c 4473 if (!conn)
1da177e4 4474 return 0;
0139418c 4475
1da177e4
LT		 4476 l = &conn->chan_list;
4477
4478 BT_DBG("conn %p", conn);
4479
4480 read_lock(&l->lock);
4481
4482 for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
4483 bh_lock_sock(sk);
4484
6a8d3010
MH		 4485 if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
4486 bh_unlock_sock(sk);
4487 continue;
4488 }
4489
f62e4323 4490 if (!status && (sk->sk_state == BT_CONNECTED ||
8c1b2355 4491 sk->sk_state == BT_CONFIG)) {
f62e4323 4492 l2cap_check_encryption(sk, encrypt);
9719f8af
MH		 4493 bh_unlock_sock(sk);
4494 continue;
4495 }
4496
b1235d79
MH		 4497 if (sk->sk_state == BT_CONNECT) {
4498 if (!status) {
4499 struct l2cap_conn_req req;
4500 req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
4501 req.psm = l2cap_pi(sk)->psm;
1da177e4 4502
b1235d79 4503 l2cap_pi(sk)->ident = l2cap_get_ident(conn);
e501d055 4504 l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
1da177e4 4505
b1235d79
MH		 4506 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4507 L2CAP_CONN_REQ, sizeof(req), &req);
4508 } else {
4509 l2cap_sock_clear_timer(sk);
4510 l2cap_sock_set_timer(sk, HZ / 10);
4511 }
4512 } else if (sk->sk_state == BT_CONNECT2) {
4513 struct l2cap_conn_rsp rsp;
4514 __u16 result;
1da177e4 4515
b1235d79
MH		 4516 if (!status) {
4517 sk->sk_state = BT_CONFIG;
4518 result = L2CAP_CR_SUCCESS;
4519 } else {
4520 sk->sk_state = BT_DISCONN;
4521 l2cap_sock_set_timer(sk, HZ / 10);
4522 result = L2CAP_CR_SEC_BLOCK;
4523 }
4524
4525 rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
4526 rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
4527 rsp.result = cpu_to_le16(result);
e7c29cb1 4528 rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
b1235d79
MH		 4529 l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
4530 L2CAP_CONN_RSP, sizeof(rsp), &rsp);
4531 }
1da177e4
LT		 4532
4533 bh_unlock_sock(sk);
4534 }
4535
4536 read_unlock(&l->lock);
b1235d79 4537
1da177e4
LT		 4538 return 0;
4539}
4540
4541static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4542{
4543 struct l2cap_conn *conn = hcon->l2cap_data;
4544
4545 if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
4546 goto drop;
4547
4548 BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
4549
4550 if (flags & ACL_START) {
4551 struct l2cap_hdr *hdr;
4552 int len;
4553
4554 if (conn->rx_len) {
4555 BT_ERR("Unexpected start frame (len %d)", skb->len);
4556 kfree_skb(conn->rx_skb);
4557 conn->rx_skb = NULL;
4558 conn->rx_len = 0;
4559 l2cap_conn_unreliable(conn, ECOMM);
4560 }
4561
4562 if (skb->len < 2) {
4563 BT_ERR("Frame is too short (len %d)", skb->len);
4564 l2cap_conn_unreliable(conn, ECOMM);
4565 goto drop;
4566 }
4567
4568 hdr = (struct l2cap_hdr *) skb->data;
4569 len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
4570
4571 if (len == skb->len) {
4572 /* Complete frame received */
4573 l2cap_recv_frame(conn, skb);
4574 return 0;
4575 }
4576
4577 BT_DBG("Start: total len %d, frag len %d", len, skb->len);
4578
4579 if (skb->len > len) {
4580 BT_ERR("Frame is too long (len %d, expected len %d)",
4581 skb->len, len);
4582 l2cap_conn_unreliable(conn, ECOMM);
4583 goto drop;
4584 }
4585
4586 /* Allocate skb for the complete frame (with header) */
af05b30b
GP		 4587 conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
4588 if (!conn->rx_skb)
1da177e4
LT		 4589 goto drop;
4590
d626f62b 4591 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4592 skb->len);
1da177e4
LT		 4593 conn->rx_len = len - skb->len;
4594 } else {
4595 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
4596
4597 if (!conn->rx_len) {
4598 BT_ERR("Unexpected continuation frame (len %d)", skb->len);
4599 l2cap_conn_unreliable(conn, ECOMM);
4600 goto drop;
4601 }
4602
4603 if (skb->len > conn->rx_len) {
4604 BT_ERR("Fragment is too long (len %d, expected %d)",
4605 skb->len, conn->rx_len);
4606 kfree_skb(conn->rx_skb);
4607 conn->rx_skb = NULL;
4608 conn->rx_len = 0;
4609 l2cap_conn_unreliable(conn, ECOMM);
4610 goto drop;
4611 }
4612
d626f62b 4613 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
e1027a7c 4614 skb->len);
1da177e4
LT		 4615 conn->rx_len -= skb->len;
4616
4617 if (!conn->rx_len) {
4618 /* Complete frame received */
4619 l2cap_recv_frame(conn, conn->rx_skb);
4620 conn->rx_skb = NULL;
4621 }
4622 }
4623
4624drop:
4625 kfree_skb(skb);
4626 return 0;
4627}
4628
aef7d97c 4629static int l2cap_debugfs_show(struct seq_file *f, void *p)
1da177e4
LT		 4630{
4631 struct sock *sk;
4632 struct hlist_node *node;
1da177e4
LT		 4633
4634 read_lock_bh(&l2cap_sk_list.lock);
4635
be9d1227
MH		 4636 sk_for_each(sk, node, &l2cap_sk_list.head) {
4637 struct l2cap_pinfo *pi = l2cap_pi(sk);
101545f6 4638
aef7d97c
MH		 4639 seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
4640 batostr(&bt_sk(sk)->src),
4641 batostr(&bt_sk(sk)->dst),
4642 sk->sk_state, __le16_to_cpu(pi->psm),
4643 pi->scid, pi->dcid,
4644 pi->imtu, pi->omtu, pi->sec_level);
be9d1227 4645 }
1da177e4 4646
1da177e4 4647 read_unlock_bh(&l2cap_sk_list.lock);
1da177e4 4648
aef7d97c 4649 return 0;
1da177e4
LT		 4650}
4651
aef7d97c
MH		 4652static int l2cap_debugfs_open(struct inode *inode, struct file *file)
4653{
4654 return single_open(file, l2cap_debugfs_show, inode->i_private);
4655}
4656
4657static const struct file_operations l2cap_debugfs_fops = {
4658 .open = l2cap_debugfs_open,
4659 .read = seq_read,
4660 .llseek = seq_lseek,
4661 .release = single_release,
4662};
4663
4664static struct dentry *l2cap_debugfs;
1da177e4 4665
90ddc4f0 4666static const struct proto_ops l2cap_sock_ops = {
1da177e4
LT		 4667 .family = PF_BLUETOOTH,
4668 .owner = THIS_MODULE,
4669 .release = l2cap_sock_release,
4670 .bind = l2cap_sock_bind,
4671 .connect = l2cap_sock_connect,
4672 .listen = l2cap_sock_listen,
4673 .accept = l2cap_sock_accept,
4674 .getname = l2cap_sock_getname,
4675 .sendmsg = l2cap_sock_sendmsg,
f66dc81f 4676 .recvmsg = l2cap_sock_recvmsg,
1da177e4 4677 .poll = bt_sock_poll,
3241ad82 4678 .ioctl = bt_sock_ioctl,
1da177e4
LT		 4679 .mmap = sock_no_mmap,
4680 .socketpair = sock_no_socketpair,
1da177e4
LT		 4681 .shutdown = l2cap_sock_shutdown,
4682 .setsockopt = l2cap_sock_setsockopt,
4683 .getsockopt = l2cap_sock_getsockopt
4684};
4685
ec1b4cf7 4686static const struct net_proto_family l2cap_sock_family_ops = {
1da177e4
LT		 4687 .family = PF_BLUETOOTH,
4688 .owner = THIS_MODULE,
4689 .create = l2cap_sock_create,
4690};
4691
4692static struct hci_proto l2cap_hci_proto = {
4693 .name = "L2CAP",
4694 .id = HCI_PROTO_L2CAP,
4695 .connect_ind = l2cap_connect_ind,
4696 .connect_cfm = l2cap_connect_cfm,
4697 .disconn_ind = l2cap_disconn_ind,
2950f21a 4698 .disconn_cfm = l2cap_disconn_cfm,
8c1b2355 4699 .security_cfm = l2cap_security_cfm,
1da177e4
LT		 4700 .recv_acldata = l2cap_recv_acldata
4701};
4702
4703static int __init l2cap_init(void)
4704{
4705 int err;
be9d1227 4706
1da177e4
LT		 4707 err = proto_register(&l2cap_proto, 0);
4708 if (err < 0)
4709 return err;
4710
1890d36b
GP		 4711 _busy_wq = create_singlethread_workqueue("l2cap");
4712 if (!_busy_wq)
4713 goto error;
4714
1da177e4
LT		 4715 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
4716 if (err < 0) {
4717 BT_ERR("L2CAP socket registration failed");
4718 goto error;
4719 }
4720
4721 err = hci_register_proto(&l2cap_hci_proto);
4722 if (err < 0) {
4723 BT_ERR("L2CAP protocol registration failed");
4724 bt_sock_unregister(BTPROTO_L2CAP);
4725 goto error;
4726 }
4727
aef7d97c
MH		 4728 if (bt_debugfs) {
4729 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4730 bt_debugfs, NULL, &l2cap_debugfs_fops);
4731 if (!l2cap_debugfs)
4732 BT_ERR("Failed to create L2CAP debug file");
4733 }
1da177e4
LT		 4734
4735 BT_INFO("L2CAP ver %s", VERSION);
4736 BT_INFO("L2CAP socket layer initialized");
4737
4738 return 0;
4739
4740error:
4741 proto_unregister(&l2cap_proto);
4742 return err;
4743}
4744
4745static void __exit l2cap_exit(void)
4746{
aef7d97c 4747 debugfs_remove(l2cap_debugfs);
1da177e4 4748
1890d36b
GP		 4749 flush_workqueue(_busy_wq);
4750 destroy_workqueue(_busy_wq);
4751
1da177e4
LT		 4752 if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
4753 BT_ERR("L2CAP socket unregistration failed");
4754
4755 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4756 BT_ERR("L2CAP protocol unregistration failed");
4757
4758 proto_unregister(&l2cap_proto);
4759}
4760
4761void l2cap_load(void)
4762{
4763 /* Dummy function to trigger automatic L2CAP module loading by
4764 * other modules that use L2CAP sockets but don't use any other
4765 * symbols from it. */
1da177e4
LT		 4766}
4767EXPORT_SYMBOL(l2cap_load);
4768
4769module_init(l2cap_init);
4770module_exit(l2cap_exit);
4771
44dd46de
MH		 4772module_param(enable_ertm, bool, 0644);
4773MODULE_PARM_DESC(enable_ertm, "Enable enhanced retransmission mode");
4774
63fbd24e 4775MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1da177e4
LT		 4776MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
4777MODULE_VERSION(VERSION);
4778MODULE_LICENSE("GPL");
4779MODULE_ALIAS("bt-proto-0");
kernel source for telekom puls (alcatel/mediatek)